Hi @ll, the executable installer gimp-2.8.16-setup-1.exe (and of course older versions too) available from loads and executes UXTheme.dll from its "application directory". For software downloaded with a web browser the application directory is typically the user's "Downloads" directory: see , and http://seclists.org/fulldisclosure/2012/Aug/134 for "prior art" about this well-known and well-documented vulnerability. If an attacker places UXtheme.dll in the users "Downloads" directory (for example per drive-by download or social engineering) this vulnerability becomes a remote code execution. Proof of concept/demonstration: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. visit , download and save it as UXTheme.dll in your "Downloads" directory; 2. download gimp-2.8.16-setup-1.exe from and save it in your "Downloads" directory; 3. run gimp-2.8.16-setup-1.exe from the "Downloads" directory; 4. notice the message boxes displayed from UXTheme.dll placed in step 1. PWNED! See , and as well as and for details about this well-known and well-documented BEGINNER'S error! Additionally the installer creates and uses an UNSAFE temporary directory %TEMP%is-.temp. stay tuned Stefan Kanthak Timeline: ~~~~~~~~~ 2016-01-29 sent vulnerability report NO REPLY, not even an acknowledgement of receipt 2016-02-11 resent vulnerability report NO REPLY, not even an acknowledgement of receipt 2016-02-23 report published # Iranian Exploit DataBase = http://IeDb.Ir [2016-02-28]