CVE-2020-10551: 
Tencent QQ Browser vulnerability analysis and mitigation

CVE-2020-10551 affects QQBrowser versions prior to 10.5.3870.400. The vulnerability was discovered and disclosed on April 9, 2020. The issue exists in the QQBrowser's Windows service implementation where a critical system file has incorrect permissions, potentially allowing privilege escalation (Seqred Advisory, NVD).

The vulnerability stems from improper access control (CWE-732) in QQBrowser's TsService.exe file. The browser creates a Windows service with ImagePath pointing to TsService.exe in its installation directory (default: C:\Program Files (x86)\Tencent\QQBrowser\TsService.exe). The file permissions incorrectly allow writing access to members of NT AUTHORITY\Authenticated Users group, which includes all local and remote users (Seqred Advisory).

The vulnerability allows local attackers to escalate privileges to NT AUTHORITY\SYSTEM, which is the highest privileged account on a Windows system. This level of access could enable an attacker to gain complete control over the affected system (NVD, Seqred Advisory).

The recommended mitigation is to upgrade QQBrowser to version 10.5.3870.400 or later, which contains the fix for this vulnerability (Seqred Advisory).