A privilege escalation flaw in McAfee 's True Key software remains open to exploitation despite multiple attempts to patch Vulnerability-related.PatchVulnerability it . This according to researchers with security shop Exodus Intel , who claim Vulnerability-related.DiscoverVulnerability that CVE-2018-6661 was not fully addressed Vulnerability-related.PatchVulnerability with either of the two patches McAfee released Vulnerability-related.PatchVulnerability for it . The flaw is an elevation of privilege issue in McAfee 's TrueKey password manager . An exploit can be carried out on a guest account by side-loading a specially-crafted DLL into True Key that would then allow for commands and code to be executed with system-level privileges . McAfee 's summary of the flaw , published Vulnerability-related.DiscoverVulnerability on March 30 , lists it as a 'high ' severity issue that was patched Vulnerability-related.PatchVulnerability in version 4.20.110 - which was released Vulnerability-related.PatchVulnerability in April . Exodus says that the April release did n't fully fix Vulnerability-related.PatchVulnerability the bug , however . The researchers explain that McAfee 's patch only addresses Vulnerability-related.PatchVulnerability one of the libraries ( SDKLibAdapter ) that would allow the attack to take place , with another DLL ( NLog logging library ) being left vulnerable Vulnerability-related.DiscoverVulnerability to the same side-loading tactic . `` The patch is incomplete because it overlooks this and hence the nlog.dll can be utilized to allow arbitrary code execution just as the McAfee.TrueKey.SDKLibAdapter.dll could be used in versions prior to the patch , '' Exodus researchers Omar El-Domeiri and Gaurav Baruah said . `` Furthermore , any other McAfee signed binary can be used to exploit the vulnerability as long as the binary depends on a DLL outside the list of known DLLs . '' Exodus said Vulnerability-related.DiscoverVulnerability that it notified Vulnerability-related.DiscoverVulnerability McAfee of the issue back in August , prompting Vulnerability-related.PatchVulnerability a second patch that , unfortunately , also failed to fully remedy Vulnerability-related.PatchVulnerability the issue . `` However , we tested the latest version available ( 5.1.173.1 as of September 7th , 2018 ) and found Vulnerability-related.DiscoverVulnerability that it remains vulnerable Vulnerability-related.DiscoverVulnerability requiring no changes to our exploit . '' To its credit , McAfee acknowledged Vulnerability-related.DiscoverVulnerability the issue and said it is still working to fully resolve Vulnerability-related.PatchVulnerability the flaw . `` McAfee has been working with the researchers to confirm Vulnerability-related.DiscoverVulnerability their findings , and has provided customers mitigation guidance to allow them to protect themselves until the company can address Vulnerability-related.PatchVulnerability the reported issues via automatic product updates , '' McAfee told The Register . In the meantime , McAfee says customers can use the True Key browser extension ( which is not subject to the DLL vulnerability ) rather than the Windows application .