An unpatched, critical remote code execution flaw within WinRAR's SFX archive features has been disclosed by a researcher.
WinRAR, available for Windows users, is an unzipping tool able to decompress .ZIP, .RAR and .7Z files, among others.
However, a security flaw which reportedly allows for remote code execution has been discovered in WinRAR SFX version 5.21.
Iranian researcher Mohammad Reza Espargham posted his findings on Full Disclosure. Granted a CVSS score of 7.4, the vulnerability could allow hackers to remotely execute system code and compromise victim machines, leading to control, surveillance and potentially data theft. A CVE score is yet to be issued.
Well, SFX archives can already be used for non-legitimate purposes, but refusing to accept a vulnerability in it is something else.