Friday, April 25, 2025
Latest:
The Register

Microsoft mystery folder fix might need a fix of its own

TH Author

Turns out Microsoft’s latest patch job might need a patch of its own, again. This time, the culprit is a mysterious inetpub folder quietly deployed by Redmond, now hijacked by a security researcher to break Windows updates.

The folder, typically c:\inetpub, reappeared on Windows systems in April as part of Microsoft’s mitigation for CVE-2025-21204, an exploitable elevation-of-privileges flaw within Windows Process Activation. Rather than patching code directly, Redmond simply pre-created the folder to block a symlink attack path. For many administrators, the reappearance of this old IIS haunt raised eyebrows, especially since the mitigation did little beyond ensuring the folder existed.

For at least one security researcher, in this case Kevin Beaumont, the fix also presented an opportunity to hunt for more vulnerabilities. After poking around, he discovered that the workaround introduced a new flaw of its own, triggered using the mklink command with the /j parameter.

It’s a simple enough function. According to Microsoft’s documentation, mklink “creates a directory or file symbolic or hard link.” And with the /j flag, it creates a directory junction – a type of filesystem redirect.

Beaumont demonstrated this by running: “mklink /j c:\inetpub c:\windows\system32\notepad.exe.” This turned the c:\inetpub folder – precreated in Microsoft’s April 2025 update to block symlink abuse – into a redirect to a system executable. When Windows Update tried to interact with the folder, it hit the wrong target, errored out, and rolled everything back.

“So you just go without security updates,” he noted.

The kicker? No admin rights are required. On many default-configured systems, even standard users can run the same command, effectively blocking Windows updates without ever escalating privileges.

It sounds trivial, but now sysadmins will have to scan for tampered junctions until Redmond sorts it out. Once again, Microsoft’s testing process is under the microscope, and admins are left wondering how such a basic DoS route slipped into production. Symlinks and junctions have long been an attack vector.

According to Beaumont, Microsoft has been notified. The Windows giant has yet to respond. ®

READ MORE HERE