Stefan Kanthak

**Name of the Vulnerable Software and Affected Versions** Microsoft Printer Metadata Troubleshooter Tool versions prior to the January 5, 2024 update **Description** The issue is related to insufficient input validation in the Microsoft Printer Metadata Troubleshooter Tool, which can allow an attacker to execute arbitrary code. There have been reports of this vulnerability being exploited, with a DLL hijacking vulnerability discovered in the tool. It is estimated that devices that downloaded the tool before January 5, 2024, may be affected. **Recommendations** For versions prior to the January 5, 2024 update, delete the previous version of the Microsoft Printer Metadata Troubleshooter Tool if it was downloaded before January 5, 2024. If the tool was run before the update, no further action is required. As a temporary workaround, consider restricting the use of the tool until the updated version is installed.

**Name of the Vulnerable Software and Affected Versions** Intel(R) Solid State Drive Toolbox(TM) versions prior to 3.4.5 **Description** The issue is related to improper access control, which may allow a privileged user to potentially enable escalation of privilege via local access. **Recommendations** For versions prior to 3.4.5, update to version 3.4.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** InnoSetup Installer (affected versions not specified) **Description** A vulnerability was found in the software, affecting an unknown functionality, which leads to an uncontrolled search path. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Trend Micro Anti-Threat Toolkit (ATTK) versions 1.62.0.1218 and below **Description** The issue may allow an attacker to place malicious files in the same directory, potentially leading to arbitrary remote code execution (RCE) when executed. An attack vector similar to a previously identified vulnerability was discovered and resolved in a later version of the tool. **Recommendations** For versions 1.62.0.1218 and below, update to version 1.62.0.1228 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Malwarebytes AdwCleaner versions prior to 8.0.1 **Description** The issue is related to an Untrusted Search Path vulnerability, which could lead to arbitrary code execution with SYSTEM privileges when a malicious DLL library is loaded by the product. **Recommendations** For versions prior to 8.0.1, update to version 8.0.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** iCloud for Windows versions prior to 7.11 **Description** A race condition existed during the installation of iCloud for Windows, which could result in arbitrary code execution if the iCloud installer is run in an untrusted directory. This issue was addressed with improved state handling. **Recommendations** For versions prior to 7.11, update to version 7.11 to resolve the issue. As a temporary workaround, consider avoiding the installation of iCloud for Windows in untrusted directories until the update is applied.

**Name of the Vulnerable Software and Affected Versions** iCloud for Windows versions prior to 7.11 **Description** A race condition existed during the installation of iTunes for Windows, which could result in arbitrary code execution if the iTunes installer is run in an untrusted directory. This issue was addressed with improved state handling. **Recommendations** For versions prior to 7.11, update to iCloud for Windows version 7.11 to resolve the issue. As a temporary workaround, consider avoiding the installation of iTunes in untrusted directories until the update is applied.

Name of the Vulnerable Software and Affected Versions: Akeo Consulting Rufus versions 3.0 and earlier Description: The issue concerns insecure permissions, allowing for arbitrary code execution with escalation of privilege. This affects the executable installer and all portable executables. The attack vector involves CWE-29, CWE-377, and CWE-379, which relate to path traversal and permission issues. Recommendations: For versions 3.0 and earlier, update to a version that addresses the insecure permissions issue to prevent arbitrary code execution and privilege escalation. As a temporary workaround, consider restricting access to the executable installer and portable executables to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Akeo Consulting Rufus versions 3.0 and earlier Description: The issue affects executable installers and portable executables, allowing for DLL search order hijacking. This can lead to arbitrary code execution with escalation of privilege. The attack vector involves CAPEC-471, CWE-426, and CWE-427. Recommendations: For Akeo Consulting Rufus versions 3.0 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Intel Rapid Store Technology (RST) versions prior to 16.7 **Description** The issue is related to insufficient input validation in the installer, which may allow an unprivileged user to potentially elevate privileges or cause an installer denial of service via local access. This could lead to arbitrary code execution with escalation of privilege via the Intel Rapid Storage Technology User Interface and Driver. **Recommendations** For versions prior to 16.7, update to version 16.7 or later to resolve the issue. As a temporary workaround, consider restricting local access to the installer to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** QNAP Qsync for Windows version 4.2.2.0724 and earlier **Description** A DLL Hijacking issue could allow remote attackers to execute arbitrary code on Windows machines. **Recommendations** For QNAP Qsync for Windows version 4.2.2.0724 and earlier, update to a version later than 4.2.2.0724 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** TrueCrypt versions 7.1a through 7.2 VeraCrypt versions prior to 1.17-BETA **Description** The issue allows local users to execute arbitrary code with administrator privileges and conduct DLL hijacking attacks via a Trojan horse DLL in the application directory. This can be demonstrated with the USP10.dll, RichEd20.dll, NTMarta.dll, and SRClient.dll DLLs. **Recommendations** For TrueCrypt versions 7.1a through 7.2, consider updating to a version outside of this range to mitigate the risk. For VeraCrypt versions prior to 1.17-BETA, update to version 1.17-BETA or later. As a temporary workaround, consider restricting access to the application directory to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apple iTunes versions prior to 12.4 **Description** The issue is related to an untrusted search path vulnerability in the installer. This vulnerability can be exploited by a local user to gain privileges via a Trojan horse DLL in the current working directory. **Recommendations** For Apple iTunes versions prior to 12.4, update to version 12.4 or later to resolve the issue. As a temporary workaround, consider restricting the execution of DLLs from untrusted sources in the current working directory until a patch is applied. Avoid using the installer in potentially compromised environments to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Adobe Flash Player versions prior to 18.0.0.343 Adobe Flash Player versions 19.x through 21.x prior to 21.0.0.213 on Windows and OS X Adobe Flash Player versions prior to 11.2.202.616 on Linux **Description** The issue is related to an untrusted search path vulnerability in Adobe Flash Player. This vulnerability allows local users to gain privileges via a Trojan horse resource in an unspecified directory. The exploitation of this vulnerability can enable a local attacker to elevate their privileges. **Recommendations** For versions prior to 18.0.0.343, update to version 18.0.0.343 or later. For versions 19.x through 21.x, update to version 21.0.0.213 or later on Windows and OS X. For versions prior to 11.2.202.616 on Linux, update to version 11.2.202.616 or later. As a temporary workaround, consider restricting access to the vulnerable Adobe Flash Player component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Java SE versions 6u111, 7u95, 8u71, and 8u72 **Description** The issue allows remote attackers to affect confidentiality, integrity, and availability. It is related to the installation process and may involve an untrusted search path that allows local users to gain privileges via a Trojan horse dll in the application directory. The vulnerability can also be exploited to download arbitrary files by sending a link to them during application installation. **Recommendations** For Java SE versions 6u111, 7u95, 8u71, and 8u72, consider disabling the installation functionality related to the vulnerable component until a patch is available. Restrict access to the application directory to minimize the risk of exploitation. Avoid using the application directory for installing applications from untrusted sources until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle VM VirtualBox versions prior to 5.0.14 **Description** The issue affects confidentiality, integrity, and availability. It is related to unknown vectors and the Windows Installer. There are claims that this could be an untrusted search path issue, potentially allowing local users to gain privileges via a Trojan horse dll in the application directory. **Recommendations** For versions prior to 5.0.14, update to version 5.0.14 or later to resolve the issue. As a temporary workaround, consider restricting access to the application directory to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Microsoft Windows versions XP SP2 through XP SP3 Microsoft Windows Server versions 2003 SP2 through 2008 SP2 and 2008 R2 SP1 Microsoft Windows versions Vista SP2 through 8.1 Microsoft Windows Server versions 2012 through 2012 R2 Microsoft Windows RT versions Gold through 8.1 **Description** The issue allows local users to gain privileges via a Trojan horse cmd.exe file in the current working directory. This can be demonstrated by a directory that contains a .bat or .cmd file. The vulnerability is related to the handling of .bat and .cmd files launched from an external network, which can be exploited to gain full control over the system. This allows an attacker to install programs, view, modify, or delete data, and create new accounts with full user rights. Users with limited system rights are less exposed to this issue than users working with administrator rights. **Recommendations** For Microsoft Windows XP SP2 and SP3, consider disabling the execution of .bat and .cmd files from external sources until a fix is available. For Microsoft Windows Server 2003 SP2, restrict access to the cmd.exe file to minimize the risk of exploitation. For Microsoft Windows Vista SP2, Windows 7 SP1, Windows 8, and Windows 8.1, avoid using .bat and .cmd files from untrusted sources. For Microsoft Windows Server 2008 SP2 and R2 SP1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1, apply configuration changes to limit the execution of external .bat and .cmd files. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Visual Studio .NET 2003 SP1 Microsoft Visual Studio 2005 SP1 Microsoft Visual Studio 2008 SP1 Microsoft Visual Studio 2010 Microsoft Visual C++ 2005 SP1 Microsoft Visual C++ 2008 SP1 Microsoft Visual C++ 2010 Microsoft Exchange Server 2010 Service Pack 3 Microsoft Exchange Server 2013 **Description** The issue is related to an untrusted search path vulnerability in the Microsoft Foundation Class (MFC) Library, which allows local users to gain privileges via a Trojan horse dwmapi.dll file in the current working directory during execution of an MFC application. This can be demonstrated by a directory that contains a TRC, cur, rs, rct, or res file. A remote code execution vulnerability also exists in the way that certain applications built with Microsoft Foundation Classes (MFC) handle the loading of DLL files, potentially allowing an attacker to take complete control of an affected system. **Recommendations** For Microsoft Visual Studio .NET 2003 SP1, consider disabling the execution of MFC applications until a patch is available. For Microsoft Visual Studio 2005 SP1, 2008 SP1, and 2010, restrict access to the MFC Library to minimize the risk of exploitation. For Microsoft Visual C++ 2005 SP1, 2008 SP1, and 2010, avoid using the `dwmapi.dll` file in the current working directory until the issue is resolved. For Microsoft Exchange Server 2010 Service Pack 3 and 2013, restrict access to the MFC Library and consider disabling the execution of MFC applications until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Windows versions XP SP3, Server 2003 SP2, Vista SP1 and SP2, Server 2008 SP2 and R2, and Windows 7 **Description** The issue is related to errors in processing files with .LNK (or .PIF) extensions. Exploitation of this issue can allow a remote attacker to execute arbitrary code using a specially crafted .LNK (or .PIF) file. This can occur when Windows Explorer improperly handles icon display for such files. The issue has been demonstrated in the wild and was originally reported for malware leveraging vulnerabilities in Siemens WinCC SCADA systems. An estimated number of affected devices is not provided, but the issue has been observed in real-world incidents. Technical details include the exploitation of `Windows Shell` in Microsoft Windows, where a crafted (1) `.LNK` or (2) `.PIF` shortcut file is not properly handled during icon display. **Recommendations** For Microsoft Windows versions XP SP3, Server 2003 SP2, Vista SP1 and SP2, Server 2008 SP2 and R2, and Windows 7, apply the update that addresses the vulnerability previously discussed in Microsoft Security Advisory 2286198 to prevent arbitrary code execution when the operating system displays the icon of a malicious shortcut file. As a temporary workaround, consider restricting access to `.LNK` and `.PIF` files to minimize the risk of exploitation until a patch is available.

Name of the Vulnerable Software and Affected Versions: Clam AntiVirus (ClamAV) versions prior to 0.86.1 Description: The issue allows remote attackers to cause a denial of service, resulting in an application crash, by providing a crafted Quantum archive. Recommendations: For versions prior to 0.86.1, update to version 0.86.1 or later to resolve the issue.