1: CIS version:
CIS 10.0.1.6223
2: OS version:
Windows 7 64-bit (version 6.1 / build 7601 / Service Pack 1)
3: What you did:
Logged in as a normal user (limited).
Wait for the ISE update prompt.
When ISE prompts for an update, click on the the “Release notes” link.
4: What you actually saw:
IE (version 11.0.9600.18697) opened the link. Pretended to print the page using the “Microsoft XPS Document Writer”
This allowed me to open (explore) the files at “C:\Windows\System32”. Type “*.exe” at the filename field to list all executables.
Find the “cmd.exe,” right click and select “Run as Administrator”. From here, the Command Prompt will be run under the SYSTEM account. Any executable may be run by the user to take control of the system.
5: What you expected to happen or see:
IE (or any browser) should run using the currently logged in user account.
6: If possible attach a screenshot illustrating the GUI problem
Cannot send the screenshot now, I am already late. Will do later.
Attached some details and screenshot. I hope this helps.
I hope this issue be resolved the soonest before someone take advantage of this flaw, especially in corporate networks.
Moderator: You may modify my post or delete my attachment if needed. The detailed steps may be for the eyes of the developers only. Thank you.
The faster we respond, the more we contain, the less we are exposed.
Hi netsvc,
Thanks for report. We will be fixing following in next release of ISE:
Thanks
-umesh
I hope we see this patched up the soonest. Thank you.
We hope to have a release in Aug-2017.
Should be fixed with Internet Security Essentials v1.3.436779.133 - RC
Thank you for the update!
I seldom login so I did not see your message right away.
Regards