A vulnerability found in the latest stable version of WinRAR, a file archiving software tool, could pose a security risk for people who create and use self-extracting (SFX) executables.
In a recent report by Vulnerability Lab, a vulnerability research company, a code execution bug was discovered in the official version of WinRAR SFX 5.21, which allows attackers to compromise a system remotely.
The attackers can inject malicious HTML code into a self-extracting executable, which then results in system takeover when the targets try to open the archived file. The vulnerability requires initial user action and it also requires for the account to be an unprivileged one (Administrator) and without any other restrictions (UAC). However, it likely wouldn't matter if UAC and a limited account were being used, because if the users intend to open the file, then they would just click to bypass those restrictions; unless of course the PC users don't know the Administrator passwords on their PCs, which could be the case in enterprise environments.
The way Windows security works (for legacy programs) is that if a user wants to open or install something, then that file would essentially get access to the whole system anyway, and it's not further restricted in a significant way besides the initial UAC/Administrator prompt. That's why after the initial opening of the file by the user, the malicious HTML code embedded into the SFX archive can download an executable from the Internet, as shown in a proof of concept by the Vulnerability Lab, and then run on the system without any other action from the user.
Users are recommended to be careful when opening self-extracting WinRAR files, especially if they're using WinRAR 5.21 to do it, and they should update to the newest version as soon as a patch is made available.
The makers of WinRAR have also responded, essentially saying that because of how Windows security and executables work, it would be just as easy to embed a malicious file within a self-extracting archive and send it to unsuspecting targets.
"User is not able to easily verify if executable part is a genuine WinRAR SFX module or some other code, so any malicious code can be included immediately to executable module of SFX archive. Malicious hacker can take any executable, prepend it to archive and distribute to users. This fact alone makes discussing vulnerabilities in SFX archives useless," according to the description in WinRAR's response.