Hi @ll, 1Password-4.6.1.619.exe, available from is vulnerable to DLL hijacking: it loads UXTheme.dll or DWMAPI.dll from its "application directory" instead Windows "system directory". For downloaded applications like 1Password-4.6.1.619.exe the "application directory" is Windows' "Downloads" folder. See and plus , , and for more information. See , , , and for this well-known beginner's error. If one of the DLLs named above is placed in the users "Downloads" directory (for example per "drive-by download") this vulnerability becomes a remote code execution. JFTR: there is ABSOLUTELY no need for executable installers on Windows! DUMP THIS CRAP! Additionally the installer creates an unsafe temporary directory "%TEMP%\is-*.tmp\" where it extracts some parts of itself and executes them. See and for this well-known beginner's error. Mitigations: ~~~~~~~~~~~~ * Don't use executable installers! NEVER! Don't use self-extractors! NEVER! See and plus alias for more information. * Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of every "%USERPROFILE%"; use to decode it to "deny execution of files in this directory for everyone, inheritable to all files in all subdirectories". * Use SAFER alias Software Restriction Policies or AppLocker to enforce W^X alias "write Xor execute" in the NTFS file system: allow execution only below %SystemRoot% and %ProgramFiles% and deny it everywhere else. See or alias for more information. stay tuned (and far away from such crap) Stefan Kanthak Timeline: ~~~~~~~~~ 2017-03-21 vulnerability report sent to vendor 2017-03-23 reply from vendor "WON'T FIX: this does not attack 1Password data but the target system itself, and is an issue with low risk, an issue that has existing mitigations in place, or is an accepted business risk for the customer." 2017-04-07 report published