Hi @ll, Kaspersky's Privacy Cleaner, CleanerSetup.exe, previously available from or has the usual vulnerabilities which almost all executable installers exhibit, plus some more: #0: download over insecure channel ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Both web pages initiated the download of CleanerSetup.exe via from over an insecure channel: a MITM could easily intercept the connection and send arbitrary executables to the unsuspecting downloaders, spoof the DNS for the download server, ... CAVEAT: several cheap skate sites like cnet.com still offer CleanerSetup.exe for download! not only hosted CleanerSetup.exe, but the installation package cleaner.msi too, which CleanerSetup.exe downloaded (see #3 below). #1: arbitrary (remote) code execution WITH escalation of privilege ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ On a fully patched Windows 7 SP1 CleanerSetup.exe loads and executes the following Windows system DLLs from its "application directory" instead Windows' "system directory" %SystemRoot%\System32\: MSImg32.dll, UXTheme.dll, Version.dll, RichEd20.dll, MSI.dll, Secur32.dll, SLC.dll, IPHlpAPI.dll, WinNSI.dll, API-ms-win-downlevel-shlwapi-l2-1-0.dll, RASAPI32.dll, RASMan.dll, RTUtils.dll, CryptSP.dll, RPCRTRemote.dll, DNSAPI.dll, DHCPSvc.dll, DHCPSvc6.dll, RASADHlp.dll, BCrypt.dll, PropSys.dll, NetUtils.dll, SrvCli.dll, WksCli.dll, MSIHnd.dll On other versions of Windows this list changes, but CleanerSetup.exe always loads and executes some DLLs from the "application directory". This weakness is well-known and well-documented: see and plus . See , and for mitigations of this beginner's error. For software downloaded with a web browser the "application directory" is typically the user's "Downloads" directory: see , and If an attacker places one of the DLLs named above in the users "Downloads" directory (for example per drive-by download, social engineering, ...) this vulnerability becomes a remote code execution WITH escalation of privilege. Thanks to the embedded application manifest of the vulnerable installer which specifies "requireAdministrator" the DLLs entry points are called with administrative rights: PWNED! #2: unsafe %TEMP% directory ~~~~~~~~~~~~~~~~~~~~~~~~~~~ CleanerSetup.exe creates a subdirectory in %TEMP% where it downloads "cleaner.msi" to. This subdirectory inherits the access rights from its parent %TEMP%, so an unprivileged attacker^Wuser can replace the downloaded .MSI before it is opened by MSIEXEC.exe and let MSIEXEC.exe then perform arbitrary actions under the SYSTEM account via the replaced *.MSI See and for this well-known and well-documented weakness. #3: download over insecure channel ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ CleanerSetup.exe uses HTTP to fetch and , allowing an MITM attack. Since CleanerSetup.exe performs no integrity checks on the downloaded files any tampering goes unnoticed. #4: the update checker/installer uses the same insecure procedure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Once installed, Kaspersky Privacy Cleaner checks for updates just like CleanerSetup.exe via insecure channel, downloads them via insecure channel, performs no integrity checks, ... stay tuned Stefan Kanthak PS: I second Eugene Kaspersky's statement on the miserability of traditional freebies and "security" products: | There are a lot of users who don't have the ~$50 to spend on premium | protection; therefore, they install traditional freebies (which have | more holes than Swiss cheese for malware to slip through) or they even | rely on Windows Defender (ye gods!). Stop bragging, your own company's products and freebies are as bad as those made by other snakeoil^WSwiss cheese makers! PPS: also see Will Dormann's post