We are thankful to Jacob Thompson - Mandiant Advantage Labs for reporting this issue.Ģ. We already prohibited extracting contents of such malformed archives in WinRAR 6.01. It is done to prevent possible attacks with inclusion of ZIP archive into the signature body.
ZIP SFX module refuses to process SFX commands stored in archive comment if such comment is resided after beginning of Authenticode digital signature.