Use absolute path for taskkill in installer

2 files changed, 5 insertions, 3 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index cc00fb3560..e4a0097d4a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -57,6 +57,8 @@ Line wrap the file at 100 chars.                                              Th
   (WFP) filters normally do not apply for VMs. This mitigates the issue by ensuring that it does not
   leak (as easily) when the VPN tunnel is up. Previously, WSL would leak while in the blocked or
   connecting state, or while lockdown mode was active.
+- Fix issue where the installer would allow any executable named `taskkill.exe` in the working
+  directory to run as admin. This fixes audit issue `MLLVD-CR-24-06`.
 
 #### Linux
 - Prevent attackers able to send ARP requests to the device running Mullvad from figuring out
diff --git a/dist-assets/windows/installer.nsh b/dist-assets/windows/installer.nsh
index 4b6273d75b..9e0a2dfaf7 100644
--- a/dist-assets/windows/installer.nsh
+++ b/dist-assets/windows/installer.nsh
@@ -767,7 +767,7 @@
 	${EndIf}
 
 	# Killing without /f will likely cause the daemon to disconnect.
-	nsExec::Exec `taskkill /f /t /im "${APP_EXECUTABLE_FILENAME}"` $R0
+	nsExec::Exec `"$SYSDIR\taskkill.exe" /f /t /im "${APP_EXECUTABLE_FILENAME}"` $R0
 	Sleep 500
 
 	customCheckAppRunning_skip_kill:
@@ -1067,9 +1067,9 @@
 
 	Pop $FullUninstall
 
-	nsExec::Exec `taskkill /t /im "${APP_EXECUTABLE_FILENAME}"` $0
+	nsExec::Exec `"$SYSDIR\taskkill.exe" /t /im "${APP_EXECUTABLE_FILENAME}"` $0
 	Sleep 500
-	nsExec::Exec `taskkill /f /t /im "${APP_EXECUTABLE_FILENAME}"` $0
+	nsExec::Exec `"$SYSDIR\taskkill.exe" /f /t /im "${APP_EXECUTABLE_FILENAME}"` $0
 
 	${If} $FullUninstall == 0
 		# Save the target tunnel state if we're upgrading