Hi @ll, the executable installers of WinRAR 5.30 and earlier versions as well as ALL self-extracting archives created with them load and execute UXTheme.dll, RichEd32.dll and RichEd20.dll from their "application directory". For software downloaded with a web browser the application directory is typically the user's "Downloads" directory: see , and for "prior art" about this well-known and well-documented vulnerability. If an attacker places the DLLs named above in the users "Downloads" directory (for example per drive-by download or social engineering) this vulnerability becomes a remote code execution. Due to the application manifest embedded in the executable installer which specifies "requireAdministrator" it is run with administrative privileges ("protected" administrators are prompted for consent, unprivileged standard users are prompted for an administrator password); execution of the DLLs therefore results in an escalation of privilege! See and plus for more details. RARLabs published WinRAR 5.31 on 2016-02-04: stay tuned Stefan Kanthak