Executable files are potentially dangerous by design. Run them only
if they are received from a trustworthy source. WinRAR self-extracting (SFX)
archives are not less or more dangerous than other exe files.
As reported by http://seclists.org/fulldisclosure/2015/Sep/106,
it is possible to create SFX archive with a specially crafted HTML text,
which, if started as executable, will download and run an arbitrary
executable on a user computer. Extracting such SFX archive with WinRAR
is still safe. Let's see if it creates any additional risks for users.
WinRAR self-extracting archive is an executable file.
User is not able to easily verify if executable part is a genuine
WinRAR SFX module or some other code, so any malicious code can be included
immediately to executable module of SFX archive. Malicious hacker can take
any executable, prepend it to archive and distribute to users.
This fact alone makes discussing vulnerabilities in SFX archives useless.
Also SFX module provides the official documented function
to run any executable file contained in SFX archive on a user computer,
so there is no need to implement hackish ways to achieve
the same. This can be done with "Setup" script command
or its "Setup program/Run after extraction" WinRAR GUI equivalent.
"Silent" script command or its "Silent mode/Hide start dialog"
WinRAR GUI equivalent allow to skip the start dialog, so an archived
executable will be started immediately, without user intervention.
"Overwrite" script command helps to avoid the overwrite prompt in case
an extracted file already exists. "Path" command specifies a name of folder
in "Program Files" to store unpacked files.
It is useless to search for supposed vulnerabilities
in SFX module or to fix such vulnerabilities, because as
any exe file, SFX archive is potentially dangerous for user's
computer by design. As for any exe file, users must run
SFX archives only if they are sure that such archive is received
from a trustworthy source. SFX archive can silently run any exe file
contained in archive and this is the official feature needed
for software installers.
In other words, instead of that complicated proof of concept video
mentioned in the report linked above, it would be simpler to place
putty.exe into RAR SFX archive and add following commands to archive comment:
If downloading from Internet is preferred, a tool to download and run
an executable from the net can be also specified in "Setup" command.
Taking all this into account, we can say that limiting SFX module
HTML functionality would hurt only those legitimate users, who need
all HTML features, making absolutely no problem for a malicious
person, who can use previous version SFX modules, custom modules built
from UnRAR source code, their own code or archived executables
for their purpose. We can only remind users once again to run exe files,
either SFX archives or not, only if they are received from a trustworthy