Will DormannApr 9

After installing April's updates, Windows 10 and 11 systems now have an empty C:\inetpub directory.

This seems... unexpected?

Show threadWill DormannApr 11

So, apparently this is the "fix" for CVE-2025-21204. Microsoft recently updated their advisory to say what the update does.

Prior to everybody freaking out, the advisory for CVE-2025-21204 said nothing about what it does.

Two gripes:

  • MSRC publishing content-free advisories has consequences, but they never seem to appreciate this.
  • I told MSRC YEARS AGO that they can avoid an entire class of LPE vulnerabilities in 3rd-party software and their own software by not allowing non-admin users to be able to create directories off of C:\. They refused to make any change because it might "break things".

    • Great job, folks.

    Security Update Guide - Microsoft Security Response Center

    Show threadWill DormannApr 11

    Would changing the ACLs to not allow non-admin users the ability to create directories off of C:\ really have a real-world impact of limiting LPEs?

    Absolutely. When you write a tool to look for things (e.g. Crassus), you see things. Heck, I've seen a privileged service attempt to open files in C:\Program%20Files\, which any non-admin Windows user can create by default.

    But no, even despite being presented with evidence for how this could fix an entire CLASS of LPEs on Windows, MSRC was not interested.

    GitHub - vu-ls/Crassus

    Contribute to vu-ls/Crassus development by creating an account on GitHub.

    GitHub
    Show threadWill DormannApr 17

    From over at the Bad Site ™
    Both the vulnerability and the "fix" for CVE-2025-21204 are quite silly.

    The scenario is:

  • Non-admin user creates C:\inetpub\wwwroot directory and puts web content there
  • Admin user at some point in the future enables IIS on the system.

    • The outcome is:
    The web content provided by the non-admin user (be it a web shell or whatnot) is served up by IIS.

    Maybe non-admin users shouldn't be able to make directories or junctions (to directories or files) in C:\?
    NAH.

    Maybe installing IIS should provide a clean webroot when it's installed?
    NAH.

    Just preemptively make a C:\inetpub directory that non-admin users can't write to. That fixes the problem. 🤦‍♂️

    Show threadJohannes
    @wdormann why should an User ever need to write data outside their home directory?
    Apr 17 at 2:07pmMastodon for Android
    Show threadWill DormannApr 17
    @JmbFountain
    Because Microsoft is afraid to break terrible apps doing things that they shouldn't.
    Show threadJernej Simončič �Apr 17
    @wdormann @JmbFountain *Looks at the most used business banking app in the country* (it installs to C:\Halcom, because it keeps databases (and more) inside its installation directory, and this stopped working when installed to Program Files in Windows 10 despite the installer running cacls /e /t /g users:f during install.