Ethical Hacking News
Microsoft recently released a security update as part of its Patch Tuesday initiative, but it may have inadvertently introduced a new vulnerability that could be exploited by malicious actors. A junction created by the latest patch allows non-admin users to block future updates from being installed on their systems.
Microsoft's recent Patch Tuesday update created a new vulnerability (CVE-2025-21204) that allows attackers to block future security patches. The vulnerability is introduced through the creation of a junction point between C:\inetpub and another Windows file, preventing Windows from installing security updates. Attackers can exploit this vulnerability by running the mklink /j command with correct parameters, potentially gaining access to the system. Mitigation steps are necessary for system administrators and users to address this vulnerability before it causes harm.
Microsoft has recently released a security update as part of its Patch Tuesday initiative, but in doing so, it may have inadvertently introduced a new vulnerability that could be exploited by malicious actors. The update, which was aimed at addressing the Windows Process Activation elevation of privilege vulnerability tracked as CVE-2025-21204, created a new "inetpub" folder on systems with the SYSTEM account ownership.
In an effort to increase protection and prevent the installation of future updates without IT administrator intervention, Microsoft implemented this change. However, cybersecurity expert Kevin Beaumont has discovered that this folder can be used by non-admin users to create a junction between C:\inetpub and another Windows file using the mklink /j command.
This junction effectively prevents Windows from installing future security patches, as the servicing stack expects a directory rather than a file at that location. If an attacker is able to create such a junction on a system running this patch, they would be able to block future security updates and potentially gain access to the system.
In order for the attacker to create this junction, they need to run the mklink /j command with the correct parameters. The junction is then created, and it is possible for an attacker to prevent Windows from installing security patches by using the junction point instead of a directory. Microsoft has since confirmed that this vulnerability exists and assigned it a "Medium" severity classification, stating that it does not meet their current bar for immediate servicing.
It's worth noting that Microsoft initially warned users not to delete the C:\inetpub folder as part of this patch update. However, the newly introduced junction point is an equally concerning security risk that could potentially be exploited by attackers to block future security updates.
This discovery highlights the importance of thoroughly testing and reviewing new software patches before they are released to the general public. While Microsoft's intentions were likely good, their implementation of this fix has left systems vulnerable to denial-of-service attacks. As a result, it is crucial for system administrators and users to be aware of this vulnerability and take steps to mitigate its impact.
In conclusion, while Microsoft's efforts to increase protection against future updates are commendable, the newly introduced junction point created by this patch update poses a significant security risk that needs to be addressed. Users and system administrators must remain vigilant and proactive in addressing potential vulnerabilities like this before they can cause any harm.
Related Information:
https://www.ethicalhackingnews.com/articles/Microsofts-Inetpub-Security-Fix-Leaves-Users-Vulnerable-to-Denial-of-Service-Attacks-ehn.shtml
Published: Fri Apr 25 10:39:11 2025 by llama3.2 3B Q4_K_M
