Hi @ll, the "Microsoft Installer" creates for applications installed via an .MSI the following uninstall information in the Windows registry (see <http://msdn.microsoft.com/library/aa372105.aspx>): [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall] "UninstallString"="MsiExec.Exe /X{<GUID>}" "ModifyPath"="MsiExec.Exe /I{<GUID>}" Note the unqualified path to the executable "msiexec.exe". On Windows installations without the "SafeProcessSearchMode" hotfix (cf. <http://support.microsoft.com/kb/905890>) or with this safeguard turned off (cf. <http://msdn.microsoft.com/library/dd266735.aspx>, which refers to <http://support.microsoft.com/kb/959426> alias MS09-015), an executable "msiexec.exe" placed in the CWD or the users "base" directory (addressed by "%HOMEDRIVE%%HOMEPATH%" and typically equal to "%USERPROFILE%") can be run instead of the intended executable "%SystemRoot%\System32\MsiExec.Exe". The VERY simple fix (which eliminates this attack vector completely): always use fully-qualified paths to the well-known executables. JFTR: cf. <http://seclists.org/fulldisclosure/2011/Sep/160> Stefan Kanthak
