Unquoted service path vulnerability in WCAssistantService Lavasoft
Vulnerability: Unquoted service path vulnerability in WCAssistantService Lavasoft
Impact: Any user that has Lavasoft webcompanion installed in their system can elevate his privilege on local system.
Web Companion blocks websites that try to steal your personal information by impersonating sites you know and trust. It keeps your passwords, payment and other personal information safe from hackers.
Unquoted service path exists for the service "WCAssistantService". This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system.
How to check:
C:\>wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
WC Assistant WCAssistantService C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe Auto
Initial mail sent 2nd Nov 2017
Mail sent to webcompanion on 2nd Jan 2018 --> No response
Mail sent to webcompanion on 20th Jan 2018 --> No response
Disclosure date 23rd Jan 2018