GlassWireSetup.exe subject to EXE planting attack

GlassWire recently fixed a DLL hijacking attack whereby trojan DLLs would be loaded from the user's \Downloads\ folder. However, it appears that GlasswireSetup.exe still uses an unqualified path when running CertUtil.exe and as a consequence a trojaned CertUtil.exe will execute from the \Downloads\ folder. Interestingly, it executes without any security warning that Windows would normally show for a downloaded executable run from the shell (suggesting that CreateProcess was used rather than ShellExecute). To fix this, it might make the most sense to set the current working directory to the System folder early in the Setup process.