Application is launched with LocalSystem rights from user-writable folder, allowing DLL spoofing.
vulners.com/securityvulns/securityvulns:doc:23503