Hi @ll, TrendMicro_MAX_10.0_US-en_Downloader.exe (available from ) loads and executes ProfAPI.dll and UXTheme.dll (and other DLLs too) eventually found in the directory it is started from (the "application directory"). For software downloaded with a web browser the application directory is typically the user's "Downloads" directory: see , and If one of the DLLs named above gets planted in the user's "Downloads" directory per "drive-by download" or "social engineering" this vulnerability becomes a remote code execution. Proof of concept/demonstration: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. visit , download , save it as UXTheme.dll in your "Downloads" directory, then copy it as ProfAPI.dll; 2. download TrendMicro_MAX_10.0_US-en_Downloader.exe and save it in your "Downloads" directory; 3. execute TrendMicro_MAX_10.0_US-en_Downloader.exe from your "Downloads" directory; 4. notice the message boxes displayed from the DLLs placed in step 1. PWNED! For a denial of service instead of arbitrary (remote) code execution copy the downloaded UXTheme.dll as OLEAcc.dll and WinSpool.drv. This is easily turned into arbitrary (remote) code execution too: just add the exports OpenPrinterW, ClosePrinter and DocumentPropertiesW respectively LresultFromObject and CreateStdAccessibleObject to the DLL. See and as well as and the still unfinished for more details about this well-known and well-documented BEGINNER'S error and why executable installers (and self-extractors too) are bad. Additionally, TrendMicro_MAX_10.0_US-en_Downloader.exe creates an unsafe temporary directory where it unpacks its payload to and executes it from. ...TrendMicro_MAX_10.0_US-en_DownloaderAgentTisEzIns.exe loads and executes multiple DLLs too from its unsafe application directory: ProfAPI.dll, NTMarta.dll, RASAdHlp.dll, NTShrUI.dll, UXTheme.dll and Secur32.dll plus WinMM.dll, Version.dll, WinSpool.drv, WinHttp.dll and OLEAcc.dll Proof of concept/demonstration: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 5. unpack TrendMicro_MAX_10.0_US-en_Downloader.exe (basically a 7-Zip self-extractor) into an arbitrary directory, say "%TEMP%" (this creates a subdirectory "%TEMP%Agent" with the payload); 6. copy the downloaded UXTheme.dll from step 1 into "%TEMP%Agent", then copy it as ProfAPI.dll, NTMarta.dll, RASAdHlp.dll, NTShrUI.dll, Secur32.dll plus WinMM.dll, Version.dll, WinSpool.drv, WinHttp.dll and OLEAcc.dll there; 7. execute "%TEMP%AgentTisEZIns.exe"; 8. notice the message boxes displayed from the DLLs placed in steps 5 and 6. PWNED! stay tuned Stefan Kanthak Timeline: ~~~~~~~~~ 2015-12-20 multiple reports sent to vendor 2015-12-20 one report bounced due to braindead mail setup by vendor 2015-12-20 resent bounced report via alternative provider 2015-12-21 vendor acknowledges receipt and names further contact 2015-12-28 vendor verifies reports, can reproduce it on Windows 7 2015-12-30 vendor asks for verification: "We did not reproduce the vulnerability relating to ProfAPI.dll and UXTheme.dll on Windows 7." 2015-12-31 sent verification to vendor 2015-12-31 bounced due to braindead mail setup by vendor : host support.trendmicro.com.e0018.g0009.ng0090.im.emailsecurity.trendmicro.com[150.70.178.57] said: 554 5.7.1 : Recipient address rejected: ERS-RBL. (in reply to RCPT TO command) : host sjdc-itpf-04.udc.trendmicro.com[66.180.82.132] said: 550 5.7.1 Service unavailable; Client host [151.189.21.43] blocked using Trend Micro RBL+. Please see http://www.mail-abuse.com/cgi-bin/lookup?ip_address=151.189.21.43; Mail from 151.189.21.43 blocked using Trend Micro Email Reputation database. Please see ; from=< ; SIZE=8184> to=< ; ORCPT=rfc822;tm-csirt@trendmicro.com> proto=ESMTP helo= (in reply to end of DATA command) 2015-12-31 report published: vendor is obviously not interested in communication # Iranian Exploit DataBase = http://IeDb.Ir [2016-01-03]