WinRAR brute-force cracking vulnerability official: No need to fix

WinRAR brute-force cracking vulnerability official: No need to fix

WinRAR was exposed to a high-risk security vulnerability last week. Malicious attackers can embed specific HTML code in the SFX self-extracting module to execute arbitrary code when the user opens the module.

Vulnerability Lab and Malwarebytes set the risk factor of this Vulnerability to 9.2 (out of 10), and think it is very serious. The latest WinRAR 5.21 version also exists, which puts more than 0.5 billion users under security threats, so the developer RARLabs was notified immediately.

However, RARLabs does not care. In an official statement, RARLabs said:

"Malicious attackers disguise any executable files as compressed files and send them to users. This alone makes it useless to discuss the SFX File Vulnerability. Searching for or fixing this vulnerability in The SFX module is meaningless, because like any exe file, The SFX file itself is dangerous to your system, you must also ensure that the SFX file comes from trusted channels to run. SFX can quietly run any executable files contained in it, which is an official function required for software installation ."

To put it simply, RARLabs believes that any program can be created, compressed into a self-extracting file, and run automatically during decompression. This is not an error of SFX itself.

RARLabs further said: "limiting the HTML function in the SFX module will harm legal users who need all functions, but it cannot block malicious attackers, they can use an earlier version of SFX, a self-made Module Based on UnRAR source code, their own code or executable files. We can only remind users again that when running executable files, whether it is SFX or not, we must ensure that they come from trusted channels ."

Yes, there will be no repair patches or upgrade versions. You have to take risks on your own.

This article permanently updates the link address: