CVE-2018-10190

Name of the Vulnerable Software and Affected Versions: London Trust Media Private Internet Access (PIA) VPN Client version v77

Description: A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client could allow an unauthenticated, local attacker to run executable files with elevated privileges due to insufficient implementation of access controls. The Changelog and Help options from the system tray context menu spawn an elevated instance of the user's default web browser. An attacker could exploit this by selecting Run as Administrator from the context menu of an executable file within the file browser of the spawned default web browser, potentially allowing the execution of privileged commands on the targeted system.

Recommendations: For London Trust Media Private Internet Access (PIA) VPN Client version v77, consider disabling the Changelog and Help options from the system tray context menu as a temporary workaround until a patch is available. Restrict access to the default web browser's file browser to minimize the risk of exploitation. Avoid using the Run as Administrator option from the context menu of executable files within the spawned default web browser until the issue is resolved.