WinRAR - Newsletter 04/2015 · WinRAR - Newsletter 04/2015 Issue: 05.10.2015 Welcome to the 107th...
1
Betreff: WinRAR Newsletter: False WinRAR Security Alerts Datum: 6. Oktober 2015 um 09:09 An: jensing@winrar.biz You are receiving this e-mail because you agreed to it. Unsubscribe instructions are at the bottom of this e-mail. WinRAR - Newsletter 04/2015 Issue: 05.10.2015 Welcome to the 107th edition of the WinRAR Newsletter! You are receiving this newsletter because you subscribed to it. Instructions on how to unsubscribe are located at the end of this e-mail. Content: Intro: False Alert, no patches for WinRAR are needed! 1. Supposed WinRAR SFX vulnerability 2. Supposed WinRAR Web Reminder vulnerability 3. Links for Sharing 4. Join us on Facebook Dear WinRAR User, Our organisation and our work on WinRAR have recently become victim of false accusations and exaggerations in unqualified reports globally from authors in several media channels including some reputable media sites. News and alerts are in circulation regarding supposed security threats for WinRAR called "SFX archive vulnerability", "WinRAR zero day exploit", "Mohammad-Reza-Espargham Full Disclosure" or "WinRAR's MS14-064 problem" and falsely claiming to put all WinRAR users in danger. These reports are simply false alerts and have nothing to do with WinRAR itself, but are merely a replication of problems known to exist on systems that are already vulnerable before WinRAR is being used on those flawed systems. We are currently asking the media and security companies who spread these alerts to correct them quickly. Some responsible authors and media channels have already corrected their alerts, but it is impossible to reach them all at once and we expect these false news to spread and possibly be accelerated through additional false reports. We would like to especially mention that many of the security sites and magazines appear to be blindly copying information about this issue. Many articles say that "We asked WinRAR to comment" but in fact we received only a few emails from merely a couple of responsible journalists who contacted us themselves. Should you become aware of such false reports, please help us by sharing the links at the bottom of this newsletter with the authors of such articles and by posting them in the commentary sections of such articles. 1. Supposed WinRAR self-extracting (SFX) vulnerability As reported by seclists.org/fulldisclosure/2015/Sep/106 , it is possible to create SFX archives with a specially crafted HTML text, which -if started as executable- will download and run an arbitrary executable on a user's computer. The entire attack is based on vulnerabilities in Windows OLE MS14-064 which have already been patched in November 2014. If you have not installed this patch for some reason it is strongly recommended to install it. It is important for the security of your entire system and is not a WinRAR specific issue. Without this patch any software utilizing MS Internet Explorer components including Internet Explorer itself may be vulnerable to specially crafted HTML page allowing code execution. The WinRAR SFX module displays HTML in its start dialog so it is affected too, like a huge number of other tools. This issue does not create any new risk factors for SFX archives. Being an executable file, SFX archives already can do everything that can be done with this MS14-064 vulnerability. SFX archives can run any local executable or download and run a remotely stored executable utilizing the official SFX module "Setup" command. This feature is required for software installers. Regardless of discussed Windows vulnerability -as for any .exe file- users should run SFX archives only if they are sure that such archive has been received from a trustworthy source. Read more at: www.rarlab.com/vuln_sfx_html.htm www.rarlab.com/vuln_sfx_html2.htm 2. Supposed "WinRAR Web Reminder Vulnerability": Same internet user R-73eN -who originally reported the above- informed us about his findings regarding the security of the "WinRAR Registration Reminder Window" (also called "Notifier"). The trial version of WinRAR displays a registration reminder window which can include HTML code received through http from our and our partners' trusted sites. According to R-73eN a user's local network needs to be compromised in such way that a malicious man in the middle can modify contents of web pages opened by users. If additionally Microsoft's Internet Explorer is also compromised and contains unpatched security holes like MS14-064, it is then possible for a malicious person to inject a harmful code to the WinRAR registration reminder window. We consider such hypothetical situation as local network and browser vulnerabilities. If both network and browser are compromised it is enough for a user to open any http page in a browser or in any application utilizing http browser components to be attacked. Users need to install Windows and browser patches regularly to prevent this. We can argue about http vs. https security here, but as long as http protocol is in wide use and not deprecated, its security should be provided on a lower level than applications utilizing http engine provided by the system. We publish this information to our users in advance of another possible wave of mass media publications. WinRAR may again be blamed for network security issues or system vulnerabilities patched a long time ago. Such problems are neither our fault nor in our power to be fixed and have nothing to do with the software WinRAR itself. Read more at: www.rarlab.com/vuln_web_html.htm IMPORTANT : NO PATCHES FOR WINRAR ARE NEEDED. If you have not installed Windows MS14-064 security update, please do it. It is important for your entire Windows security, not just for WinRAR SFX or WinRAR Web Reminder. 3. Links for sharing: www.rarlab.com/vuln_sfx_html.htm www.rarlab.com/vuln_sfx_html2.htm www.rarlab.com/vuln_web_html.htm Twitter: #notavulnerability 4. Join us on Facebook: We would be pleased if you joined our WinRAR community on Facebook: www.facebook.com/winrar NEWSLETTER SERVICE Marienstrasse 12, 10117 Berlin, Germany newsletter@win-rar .com (mail) www.win-rar .com (web) win.rar GmbH -the official publisher of RARLAB products- handles all support, marketing and sales related to WinRAR & RARLAB.COM. Please Note: win.rar GmbH respects your privacy! Your e-mail address will never be used by any third party, you will NOT get SPAM and you can easily unsubscribe at any time from our newsletter. There is no cost for the WinRAR newsletter , it's completely free. In order to unsubscribe, click the following link: Unsubscribe
Transcript of WinRAR - Newsletter 04/2015 · WinRAR - Newsletter 04/2015 Issue: 05.10.2015 Welcome to the 107th...
Von: Julia D. Seymour [email protected]: WinRAR Newsletter: False WinRAR Security AlertsDatum: 6. Oktober 2015 um 09:09
You are receiving this e-mail because you agreed to it. Unsubscribe instructions are at the bottom of this e-mail.
WinRAR - Newsletter 04/2015Issue: 05.10.2015
Welcome to the 107th edition of the WinRAR Newsletter! You are receiving this newsletter because you subscribed to it.Instructions on how to unsubscribe are located at the end of this e-mail.
Content:Intro: False Alert, no patches for WinRAR are needed!
1. Supposed WinRAR SFX vulnerability2. Supposed WinRARWeb Reminder vulnerability3. Links for Sharing4. Join us on Facebook
Dear WinRAR User,
Our organisation and our work on WinRAR have recently become victim of false accusations and exaggerations in unqualifiedreports globally from authors in several media channels including some reputable media sites. News and alerts are incirculation regarding supposed security threats for WinRAR called "SFX archive vulnerability", "WinRAR zero day exploit","Mohammad-Reza-Espargham Full Disclosure" or "WinRAR's MS14-064 problem" and falsely claiming to put all WinRARusers in danger.
These reports are simply false alerts and have nothing to do with WinRAR itself, but are merely a replication of problemsknown to exist on systems that are already vulnerable before WinRAR is being used on those flawed systems.We arecurrently asking the media and security companies who spread these alerts to correct them quickly.
Some responsible authors and media channels have already corrected their alerts, but it is impossible to reach them all atonce and we expect these false news to spread and possibly be accelerated through additional false reports.We would like toespecially mention that many of the security sites and magazines appear to be blindly copying information about this issue.Many articles say that "We asked WinRAR to comment" but in fact we received only a few emails from merely a couple ofresponsible journalists who contacted us themselves.
Should you become aware of such false reports, please help us by sharing the links at the bottom of this newsletter with theauthors of such articles and by posting them in the commentary sections of such articles.
1. Supposed WinRAR self-extracting (SFX) vulnerability
As reported by seclists.org/fulldisclosure/2015/Sep/106, it is possible to create SFX archives with a specially crafted HTMLtext, which -if started as executable- will download and run an arbitrary executable on a user's computer.
The entire attack is based on vulnerabilities in Windows OLE MS14-064 which have already been patched in November 2014.If you have not installed this patch for some reason it is strongly recommended to install it. It is important for the security ofyour entire system and is not a WinRAR specific issue. Without this patch any software utilizing MS Internet Explorercomponents including Internet Explorer itself may be vulnerable to specially crafted HTML page allowing code execution.
The WinRAR SFX module displays HTML in its start dialog so it is affected too, like a huge number of other tools. This issuedoes not create any new risk factors for SFX archives. Being an executable file, SFX archives already can do everything thatcan be done with this MS14-064 vulnerability. SFX archives can run any local executable or download and run a remotelystored executable utilizing the official SFX module "Setup" command. This feature is required for software installers.Regardless of discussed Windows vulnerability -as for any .exe file- users should run SFX archives only if they are sure thatsuch archive has been received from a trustworthy source.
Read more at:
www.rarlab.com/vuln_sfx_html.htmwww.rarlab.com/vuln_sfx_html2.htm
2. Supposed "WinRARWeb Reminder Vulnerability":
Same internet user R-73eN -who originally reported the above- informed us about his findings regarding the security of the"WinRAR Registration Reminder Window" (also called "Notifier").
The trial version of WinRAR displays a registration reminder window which can include HTML code received through http fromour and our partners' trusted sites. According to R-73eN a user's local network needs to be compromised in such way that amalicious man in the middle can modify contents of web pages opened by users. If additionally Microsoft's Internet Explorer isalso compromised and contains unpatched security holes like MS14-064, it is then possible for a malicious person to inject aharmful code to the WinRAR registration reminder window.
We consider such hypothetical situation as local network and browser vulnerabilities. If both network and browser arecompromised it is enough for a user to open any http page in a browser or in any application utilizing http browser componentsto be attacked. Users need to install Windows and browser patches regularly to prevent this.We can argue about http vs. httpssecurity here, but as long as http protocol is in wide use and not deprecated, its security should be provided on a lower levelthan applications utilizing http engine provided by the system.
We publish this information to our users in advance of another possible wave of mass media publications. WinRAR may againbe blamed for network security issues or system vulnerabilities patched a long time ago. Such problems are neither our faultnor in our power to be fixed and have nothing to do with the software WinRAR itself.
Read more at:
www.rarlab.com/vuln_web_html.htm
IMPORTANT: NO PATCHES FOR WINRAR ARE NEEDED. If you have not installed Windows MS14-064 security update,please do it. It is important for your entire Windows security, not just for WinRAR SFX or WinRARWeb Reminder.
3. Links for sharing:
www.rarlab.com/vuln_sfx_html.htmwww.rarlab.com/vuln_sfx_html2.htmwww.rarlab.com/vuln_web_html.htmTwitter: #notavulnerability
4. Join us on Facebook:
We would be pleased if you joined our WinRAR community on Facebook:www.facebook.com/winrar
NEWSLETTER SERVICEMarienstrasse 12, 10117 Berlin, [email protected] (mail) www.win-rar.com (web)
win.rar GmbH -the official publisher of RARLAB products- handles all support, marketing and sales related toWinRAR &RARLAB.COM.
Please Note: win.rar GmbH respects your privacy!Your e-mail address will never be used by any third party, you will NOT get SPAM and you can easily unsubscribe at any timefrom our newsletter. There is no cost for the WinRAR newsletter, it's completely free.
In order to unsubscribe, click the following link: Unsubscribe
