Reported July 13, 2004, by Microsoft
A privilege-elevation vulnerability exists in the way in which Utility Manager launches applications. A logged-on user could force Utility Manager to start an application with system privileges, then take complete control of the system. A potential attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges.
Microsoft has released bulletin MS04-019, "Vulnerability in Utility Manager Could Allow Code Execution (842526)," to address this vulnerability and recommends that affected users apply the appropriate patch listed in the bulletin.
Discovered by Cesar Cerrudo of Application Security, Inc.