Hi @ll, the executable installers for .NET Framework 4.7 (released about 2 months ago) * NDP47-KB3186500-Web.exe, Microsoft .NET Framework 4.7 (Web Installer) for Windows 7 SP1 etc., available from , * NDP47-KB3186497-x86-x64-AllOS-ENU.exe, Microsoft .NET Framework 4.7 (Offline Installer) for Windows 7 SP1 etc., available from , * NDP47-KB3186497-x86-x64-AllOS-DEU.exe, Microsoft .NET Framework 4.7 Sprachpaket (Offlineinstaller) fur Windows 7 SP1 etc, available from , * NDP47-DevPack-KB3186612-ENU.exe, Microsoft .NET Framework 4.7 Developer Pack and Language Packs for Windows 7 SP1 etc., available from , are vulnerable: they allow arbitrary code execution via DLL hijacking, resulting in escalation of privilege. On a fully patched Windows 7 SP1 (which has a market share around 50%) NDP47-KB3186500-Web.exe, NDP47-KB3186497-x86-x64-AllOS-ENU.exe and ALL language packs NDP47-KB3186497-x86-x64-AllOS-???.exe load at least the following DLLs from their application directory (typically %USERPROFILE%\Downloads\) instead Windows' system directory %SystemRoot%\System32\ and execute their DllMain() routine: Cabinet.dll, Version.dll, CryptDll.dll, CryptSP.dll, NTMARTA.dll, UXTheme.dll, DWMAPI.dll NDP47-DevPack-KB3186612-ENU.exe loads least the following DLLs from its application directory (typically %USERPROFILE%\Downloads\) instead Windows' system directory %SystemRoot%\System32\ and executes their DllMain() routine: Cabinet.dll, MSI.dll, Version.dll, SPP.dll, VSSAPI.dll, ATL.dll, VSSTrace.dll, NTMARTA.dll, UXTheme.dll, DWMAPI.dll, CryptSP.dll, RPCRTRemote.dll See , , , and for this well-known beginner's error. See , , and for more information. JFTR: it's a shame that these installers, built 2017-04-22, still show this 20+ year old beginner's error! For NDP47-KB3186500-Web.exe and NDP47-KB3186497-x86-x64-AllOS-???.exe this results thanks to their embedded application manifest which specifies "requireAdministrator" in escalation of privilege. NDP47-DevPack-KB3186612-ENU.exe achieves the escalation of privilege with a call of itself via "RunAs". Proof of concept/demonstration: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. download and save it as UXTheme.dll in your "Downloads" directory; 2. copy the downloaded UXTheme.dll as Version.dll, Cabinet.dll etc. (see the list of DLL names above); 3. download , , , ..., , and save them in your "Downloads" directory; 4. run the downloaded NDP47-*.exe and notice the message boxes displayed from the DLLs: PWNED! Mitigation & detection: ~~~~~~~~~~~~~~~~~~~~~~~ * NEVER run executable installers from your "Downloads" directory; * dump/avoid executable installers, use *.MSI instead! * stay FAR away from software written by sloppy coders who don't know their target platform, and ignore their own companies guidelines/recommendations! * see , and * also see and * dump .NET Framework alltogether! stay tuned Stefan Kanthak Timeline: ~~~~~~~~~ 2017-06-13 vulnerability report sent to vendor 2017-06-13 reply from vendor: "MSRC case 39179 opened" 2017-06-21 reply from vendor: "We have investigated the issue and determined it does not warrant an explicit fix for down level products. [...] Loading binaries from the application directory is a by design functionality of the Windows library search order process." 2017-06-21 OUCH! The "application directory" can be removed from the library search path since Windows Vista and the update KB2533623! See or . Which DLLs do the installers need or expect to load from their "application directory"? 2017-06-28 no reply from vendor since 7 days, report published