📄 الوصف (الإنجليزية)
IObit Uninstaller 10 Pro contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted service path in the IObit Uninstaller Service to insert malicious code that would execute with SYSTEM-level permissions during service startup.
🤖 ملخص AI
CVE-2020-36952 is a local privilege escalation vulnerability in IObit Uninstaller 10 Pro exploiting unquoted service paths, allowing authenticated users to execute arbitrary code with SYSTEM privileges. While no public exploit exists, the vulnerability is straightforward to exploit and poses significant risk to organizations using this software. Immediate patching is critical as the vulnerability enables complete system compromise through a simple local attack vector.
📄 الوصف (العربية)
🤖 التحليل الذكي آخر تحليل: Apr 27, 2026 07:38
🇸🇦 التأثير على المملكة العربية السعودية
This vulnerability primarily affects Saudi organizations using IObit Uninstaller 10 Pro on Windows systems. Risk sectors include: Government agencies (NCA, CITC) using endpoint management tools; Banking sector (SAMA-regulated institutions) with administrative workstations; Healthcare organizations (MOH facilities) managing IT infrastructure; Energy sector (ARAMCO, utilities) with IT operations; Telecom companies (STC, Mobily) managing enterprise endpoints. The vulnerability is particularly dangerous in shared administrative environments common in Saudi enterprises where multiple privileged users access the same systems.
🏢 القطاعات السعودية المتأثرة
Government
Banking
Healthcare
Energy
Telecommunications
IT Services
Enterprise IT Operations
🎯 تقنيات MITRE ATT&CK
⚖️ درجة المخاطر السعودية (AI)
7.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all systems running IObit Uninstaller 10 Pro using endpoint detection tools or SCCM/Intune inventory
2. Restrict local administrative access to affected systems where possible
3. Disable IObit Uninstaller Service if not actively required
PATCHING:
1. Update IObit Uninstaller to version 11 or later immediately
2. Verify patch installation by checking service path in Registry (HKLM\SYSTEM\CurrentControlSet\Services\IObitUninstallerService)
3. Restart affected systems to ensure service updates take effect
COMPENSATING CONTROLS (if immediate patching not possible):
1. Implement AppLocker/Windows Defender Application Control to restrict execution from Program Files directories
2. Monitor service startup events (Event ID 7045) for suspicious service creation
3. Restrict local administrator group membership
4. Enable Windows Defender for real-time protection
DETECTION:
1. Monitor Registry for unquoted service paths: reg query HKLM\SYSTEM\CurrentControlSet\Services /s | findstr /i "IObit"
2. Alert on service path modifications in Event Viewer (System log, Event ID 7045)
3. Monitor process creation from IObit installation directory with SYSTEM privileges
4. Implement YARA rule: detect unquoted paths in IObit service registry entries
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع الأنظمة التي تقوم بتشغيل IObit Uninstaller 10 Pro باستخدام أدوات كشف نقاط النهاية أو SCCM/Intune
2. تقييد الوصول الإداري المحلي للأنظمة المتأثرة حيثما أمكن
3. تعطيل خدمة IObit Uninstaller إذا لم تكن مطلوبة بنشاط
التصحيح:
1. تحديث IObit Uninstaller إلى الإصدار 11 أو أحدث فوراً
2. التحقق من تثبيت التصحيح بفحص مسار الخدمة في السجل
3. إعادة تشغيل الأنظمة المتأثرة لضمان تحديث الخدمة
الضوابط البديلة:
1. تطبيق AppLocker للتحكم في التطبيقات
2. مراقبة أحداث بدء الخدمة للكشف عن الخدمات المريبة
3. تقييد عضوية مجموعة المسؤولين المحليين
4. تفعيل Windows Defender للحماية في الوقت الفعلي
الكشف:
1. مراقبة السجل للمسارات غير المقتبسة
2. التنبيه على تعديلات مسار الخدمة
3. مراقبة إنشاء العمليات من دليل التثبيت بامتيازات SYSTEM
4. تطبيق قواعد الكشف عن المسارات غير المقتبسة
📋 خريطة الامتثال التنظيمي
🟢 NCA ECC 2024
A.5.1.1 - Information security policies and procedures
A.8.1.1 - User access management
A.8.2.1 - User registration and de-registration
A.8.3.1 - User access provisioning
A.9.2.1 - User access rights review
A.12.6.1 - Management of technical vulnerabilities
🔵 SAMA CSF
ID.AM-2 - Software inventory and management
PR.AC-1 - Access control policy and procedures
PR.AC-4 - Access rights and privileges management
DE.CM-8 - Vulnerability scans
RS.MI-2 - Incidents are mitigated
🟡 ISO 27001:2022
A.5.1 - Management direction for information security
A.8.1 - User endpoint devices
A.8.2 - Privileged access rights
A.8.3 - Information access restriction
A.12.6 - Management of technical vulnerabilities
A.14.2 - Security requirements analysis and specification
🟣 PCI DSS v4.0.1
2.2.4 - Configure system security parameters
6.2 - Ensure security patches are installed
8.1 - Assign unique user ID
8.2 - Restrict access to system components