If you are part of the 500 million WinRAR users worldwide We urge you to redouble attention. Security researcher Mohammad Reza Espargham has unveiled a zero-day flaw deemed critical in the latest version of the file compression software (5.21). It allows to remotely execute any malicious code.
This vulnerability only applies to self-extracting archives SFX say. When creating such an archive, you can insert HTML in the “SFX – & gt; Advanced SFX options … – & gt; Text and icon – & gt; Text to be displayed in the SFX window “. This code is automatically executed when the user clicks on the archive. A malicious person could use this flaw to cause the user automatically downloads and executes malicious code without him noticing. Here’s a video demonstration.
However, this demonstration has completely left marble WinRAR developers, who believe that self-extracting archive is primarily an executable, so by nature a risky file. Moreover, they explain that it is already possible through the official WinRAR commands, incorporate any executable in an archive and have it run automatically and in the background during extraction. It is even possible to download an executable from the web.
A hacker could therefore already broadcast internet corrupted archives without the user can realize it without having to go through an HTML code. The developers advise users “not run .exe files, whether or not SFX archives only if they come from a reliable source” . This suggests they do not count plug the flaw discovered by Mr. Espargham. In any case, it’s always good to know that the SFX WinRAR archives are “vulnerable by design”
Source:
Description fault, comment WinRAR
Gilbert Kallenborn
Reporter
‘) ; // cross-browser addListener var listener = function (obj, eventName, listener) {if (obj.addEventListener) obj.addEventListener (eventName, listener, false); obj.attachEvent else (“on” + eventName, listener); }; onAdPlayerReady function (evt) {var adPlayer vp_inpage.getAdPlayer = (); console.log (vp_inpage.getAdPlayer ()) adPlayer.addEventListener (‘mouseover’, function () {vp_inpage.setVolume (1);}, false); adPlayer.addEventListener (‘mouseout’, function () {vp_inpage.setVolume (0);}, false); } // When ad player is ready addListener (document, “AdLoaded” onAdPlayerReady); } $ (‘.nav-Left’) mouseenter (function () {$ (‘.art-left’) show ();.}). $ (‘.nav-Left’) mouseleave (function () {$ . (‘.art-left’) hide ();.}) $ {$ (‘.art-right’) show () (‘.nav-right’) mouseenter (function (.).}) $ (‘ .nav-right ‘) mouseleave (function (). {$ (‘ .art-right ‘) hide ();.})});
No comments:
Post a Comment