Ethical Hacking News
Microsoft's latest patch job has introduced a new security concern, as a mysterious inetpub folder hijacked by a security researcher has been found to have a flaw in the workaround that was supposed to block symlink attacks.
The latest Windows patch for CVE-2025-21204 introduced a new security concern. A security researcher, Kevin Beaumont, discovered a flaw in the workaround that was supposed to block symlink attacks. The mklink command with the /j parameter can be used to create a directory junction, turning the inetpub folder into a redirect to a system executable. This causes Windows Update to fail and roll back, rendering the system vulnerable to further attacks. No admin rights are required to execute the mklink command, making it accessible even to standard users. Microsoft has been notified of the issue but no patch is available yet. The incident highlights concerns about Microsoft's testing process and its ability to catch vulnerabilities.
In a recent development that has left many in the IT community scratching their heads, Microsoft's latest patch job for CVE-2025-21204, a vulnerability in Windows Process Activation, has introduced a new security concern. The mysterious inetpub folder, which was reintroduced as part of the mitigation strategy, has been hijacked by a security researcher, Kevin Beaumont, who discovered a flaw in the workaround that was supposed to block symlink attacks.
According to Beaumont's findings, the mklink command with the /j parameter can be used to create a directory junction, effectively turning the inetpub folder into a redirect to a system executable. This, in turn, causes Windows Update to fail and roll back, rendering the system vulnerable to further attacks. The kicker? No admin rights are required to execute this command, making it accessible even to standard users.
Beaumont's discovery has sparked concerns about Microsoft's testing process, as the seemingly innocuous folder was introduced without sufficient scrutiny. Symlinks and junctions have long been a vector for attackers, and it appears that the company's efforts to mitigate one vulnerability may have inadvertently created another.
Microsoft has been notified of the issue, but as yet, there is no word on when a patch will be released to rectify the situation. In the meantime, sysadmins are left to wonder how such a basic DoS route slipped into production and whether the company's testing process is truly robust enough to catch these types of vulnerabilities.
The incident serves as a reminder that even in the pursuit of security, there can be unintended consequences. As the IT landscape continues to evolve, it will be crucial for companies like Microsoft to stay vigilant and ensure that their patches do not introduce new vulnerabilities. Only time will tell if Redmond will be able to address this issue promptly.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Windows-Mystery-Folder-Fix-A-Tale-of-Security-and-Vulnerabilities-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/04/24/microsoft_mystery_folder_fix/
https://www.theregister.com/2025/04/24/microsoft_mystery_folder_fix/
https://forums.theregister.com/forum/all/2025/04/24/microsoft_mystery_folder_fix/
Published: Thu Apr 24 14:46:40 2025 by llama3.2 3B Q4_K_M
