After hearing about a recent bug (https://cxsecurity.com/issue/WLB-2014050050) I created a C:\program.exe app to show me if some other applications might also have the same problem.

On Windows 8.1 Update 1 with all updates, after using the “Close program” gesture to close Immersive IE, I see my program.exe application runs with the following output:

This link: https://bugzilla.mozilla.org/show_bug.cgi?id=846365 suggests to me that the invoking code might related to the PLM system used for Metro suspension.

Repro:

Arguably, this isn’t an important security issue because writing to the root requires Admin and the program is only executing with user-level permissions, but historically we’ve seen this sort of mistake used as a stepping stone of other exploits. The affected codepath may also allow repro for ANY Immersive browser (not just IE) which could have unknown security impact.