Hi @ll, "C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe", part of Apple's iCloudServices (see <https://www.apple.com/icloud/>), is configured to be started as (COM) server via SvcHost.Exe. Unfortunately the developers of this (COM) server (and of course their QA too) did a lousy job and let their installer create the following erroneous registry entries with a command line that contains an unquoted pathname: [HKEY_CLASSES_ROOT\CLSID\{23ad9193-ebad-42bf-8d03-fec6331270f2}\LocalServer32] @="C:\\Program Files\\Common Files\\Apple\\Internet Services\\iCloudServices.exe" [HKEY_CLASSES_ROOT\CLSID\{9e6e74c7-0e85-4d14-8851-7635e2c1c528}\LocalServer32] @="C:\\Program Files\\Common Files\\Apple\\Internet Services\\iCloudServices.exe" The unquoted pathname results in the execution of one of the rogue programs "C:\Program.exe", "C:\Program Files\Common.exe" or "C:\Program Files\Common Files\Apple\Internet.exe" (on x86) resp. "C:\Program.exe", "C:\Program Files.exe", "C:\Program Files (x86)\Common.exe" or "C:\Program Files (x86)\Common Files\Apple\Internet.exe" (on x64) with the rights of the logged on user. JFTR: the other 3 registry entries created for this COM server dont show this beginners error and have the pathname properly quoted: [HKEY_CLASSES_ROOT\CLSID\{1510187E-FE19-4F42-9C43-22C6E9E6AA67}\LocalServer32] @="\"C:\\Program Files\\Common Files\\Apple\\Internet Services\\iCloudServices.exe\"" [HKEY_CLASSES_ROOT\CLSID\{c1da7e1f-279b-4acd-9196-fc6ef7eb8e9e}\LocalServer32] @="\"C:\\Program Files\\Common Files\\Apple\\Internet Services\\iCloudServices.exe\"" [HKEY_CLASSES_ROOT\CLSID\{dd000cbd-67a6-423f-9132-1a2d0f76ead5}\LocalServer32] @="\"C:\\Program Files\\Common Files\\Apple\\Internet Services\\iCloudServices.exe\"" Since every user account created during Windows setup has administrative rights every user owning such an account can create the rogue program(s), resulting in a privilege escalation. JFTR: no, the "user account control" is not a security boundary! From <http://support.microsoft.com/kb/2526083>: | Same-desktop Elevation in UAC is not a security boundary and can be hijacked | by unprivileged software that runs on the same desktop. Same-desktop | Elevation should be considered a convenience feature, and from a security | perspective, "Protected Administrator" should be considered the equivalent | of "Administrator." JFTR: iCloudServices ships with even older outdated and vulnerable 3rd party (open source) libraries than iTunes, see <http://seclists.org/fulldisclosure/2014/Jul/30> - libxslt.dll 1.0.9.0 - libxml2.dll 2.1.13.0 - icuuc40.dll, icuin40.dll, icudt46.dll. libicuin.dll, libicuuc.dll 4.6.1.0 regards Stefan Kanthak PS: the obvious and trivial fix: edit the 2 erroneous command lines and add the missing quotes. But dont forget to fix them after every update of Apple's crap for Windows.
