> Instead of bailing out, ShellExecute proceeds to call “shell32!ApplyDefaultExts” which iterates through all files in a directory, finding and executing the first file with an extension matching any of the hardcoded ones: “.pif, .com, .exe, .bat, .lnk, .cmd”.

So the vulnerability is not in WinRAR, but rather in the ShellExecute windows code that desperately tries to find something else to run when asked to execute a file that does not exist.

As my security officer says at $dayJob, "having a security hole there for thirty years does not make it somehow less of a security hole".