Will DormannApr 9

After installing April's updates, Windows 10 and 11 systems now have an empty C:\inetpub directory.

This seems... unexpected?

Show threadWill DormannApr 11

So, apparently this is the "fix" for CVE-2025-21204. Microsoft recently updated their advisory to say what the update does.

Prior to everybody freaking out, the advisory for CVE-2025-21204 said nothing about what it does.

Two gripes:

  • MSRC publishing content-free advisories has consequences, but they never seem to appreciate this.
  • I told MSRC YEARS AGO that they can avoid an entire class of LPE vulnerabilities in 3rd-party software and their own software by not allowing non-admin users to be able to create directories off of C:\. They refused to make any change because it might "break things".

    • Great job, folks.

    Security Update Guide - Microsoft Security Response Center

    Show threadWill DormannApr 11

    Would changing the ACLs to not allow non-admin users the ability to create directories off of C:\ really have a real-world impact of limiting LPEs?

    Absolutely. When you write a tool to look for things (e.g. Crassus), you see things. Heck, I've seen a privileged service attempt to open files in C:\Program%20Files\, which any non-admin Windows user can create by default.

    But no, even despite being presented with evidence for how this could fix an entire CLASS of LPEs on Windows, MSRC was not interested.

    GitHub - vu-ls/Crassus

    Contribute to vu-ls/Crassus development by creating an account on GitHub.

    GitHub
    Show threadWill DormannApr 17

    From over at the Bad Site ™
    Both the vulnerability and the "fix" for CVE-2025-21204 are quite silly.

    The scenario is:

  • Non-admin user creates C:\inetpub\wwwroot directory and puts web content there
  • Admin user at some point in the future enables IIS on the system.

    • The outcome is:
    The web content provided by the non-admin user (be it a web shell or whatnot) is served up by IIS.

    Maybe non-admin users shouldn't be able to make directories or junctions (to directories or files) in C:\?
    NAH.

    Maybe installing IIS should provide a clean webroot when it's installed?
    NAH.

    Just preemptively make a C:\inetpub directory that non-admin users can't write to. That fixes the problem. 🤦‍♂️

    Show threadWill DormannApr 25
    The fact that a non-admin user can create a junction to a file before April's updates resulting in windows updates never installing after that is not considered worth fixing by MSRC. 😂
    https://cyberplace.social/@GossiTheDog/114398293866746480
    Kevin Beaumont (@GossiTheDog@cyberplace.social)

    Attached: 1 image Microsoft have rated the ability for non-admin users to stop Windows patching as a moderate issue and closed the case. EDR providers, including Microsoft, probably want to add signatures for junction points from \inetpub being created on boot drive as it doesn’t look like this will be fixed any time soon.

    Cyberplace
    Show threadBill
    @wdormann See, it's shit like this that makes me want to plan and execute a campaign to own some schmuck just to prove them wrong.
    Apr 25 at 1:28pmWeb