file system Archives

Winsage

April 9, 2025

Microsoft patches zero-day actively exploited in string of ransomware attacks

Microsoft has addressed a zero-day vulnerability, CVE-2025-29824, exploited by the group Storm-2460, affecting the Windows Common Log File System (CLFS). This vulnerability has been linked to ransomware attacks on organizations in the U.S., Venezuela, Spain, and Saudi Arabia. Storm-2460 has targeted firms in the IT and real estate sectors in the U.S., a financial institution in Venezuela, a software company in Spain, and a retail business in Saudi Arabia. The exploitation allows attackers to escalate privileges from standard user accounts, facilitated by the PipeMagic malware, which has a CVSS score of 7.8. Microsoft has patched 32 CLFS vulnerabilities since 2022, with six exploited in the wild. This month's security update is Microsoft's fourth addressing over 100 vulnerabilities in the past year, with 18 affecting Microsoft Office products classified as high-severity.

Winsage

April 9, 2025

4 reasons I use virtual hard disks in Windows, and you should too

Creating virtual hard disks (VHD or VHDX) in Windows 11 23H2 and later is straightforward through the Settings app. Users can create a VHD by navigating to Settings -> System -> Storage -> Advanced storage settings -> Disks and volumes, where they can choose to create a VHD or Dev Drive. The VHD format supports up to 2040GB, while VHDX supports up to 64TB and offers resilience during power failures. VHDX can be encrypted with BitLocker for password protection. Virtual disks can be shared over a network, enhancing efficiency by eliminating the need for physical media. They are cost-effective compared to physical drives, reducing hardware costs and potential points of failure. The Hyper-V hypervisor provides a versatile platform for these virtual drives, which offer portability, flexibility, ease of sharing, efficient backups, and robust security, though they may have slower performance than SSDs and limited native boot support for Windows.

Winsage

April 9, 2025

Patch Tuesday fixes an exploited bug, but not for Windows 10

Microsoft's Patch Tuesday updates addressed over 120 vulnerabilities, including one actively exploited flaw (CVE-2025-29824) and 11 critical issues. CVE-2025-29824 is an elevation of privilege vulnerability in the Windows Common Log File System Driver, targeted by the group Storm-2460 to deploy ransomware called PipeMagic, affecting victims in the US, Spain, Venezuela, and Saudi Arabia. This vulnerability has a CVSS score of 7.8 and allows attackers to escalate privileges due to a use-after-free flaw. Patches for Windows Server and Windows 11 have been released, but Windows 10 users are still awaiting a fix, with Microsoft promising updates soon. Among the critical vulnerabilities addressed, all allow for remote code execution (RCE). Notable vulnerabilities include: - CVE-2025-26670: LDAP Client RCE, Critical, CVSS 8.1 - CVE-2025-27752: Microsoft Excel RCE, Critical, CVSS 7.8 - CVE-2025-29791: Microsoft Excel RCE, Critical, CVSS 7.8 - CVE-2025-27745: Microsoft Office RCE, Critical, CVSS 7.8 - CVE-2025-27748: Microsoft Office RCE, Critical, CVSS 7.8 - CVE-2025-27749: Microsoft Office RCE, Critical, CVSS 7.8 - CVE-2025-27491: Windows Hyper-V RCE, Critical, CVSS 7.1 - CVE-2025-26663: Windows LDAP RCE, Critical, CVSS 8.1 - CVE-2025-27480: Windows RDP RCE, Critical, CVSS 8.1 - CVE-2025-27482: Windows RDP RCE, Critical, CVSS 8.1 - CVE-2025-26686: Windows TCP/IP RCE, Critical, CVSS 7.5 - CVE-2025-29809: Windows Kerberos Security Feature Bypass, Important, CVSS 7.1 Dustin Childs from ZDI noted that CVE-2025-29809 requires additional measures beyond standard patching. CVE-2025-26663 and CVE-2025-26670 are considered wormable, necessitating prompt updates, especially for networks exposing LDAP services. Adobe released over 50 fixes for vulnerabilities in products like Cold Fusion, After Effects, and Photoshop, with some issues in Cold Fusion classified as critical. AMD updated advisories regarding GPU access and various Ryzen AI software vulnerabilities.

Winsage

April 9, 2025

Exploitation of CLFS zero-day leads to ransomware activity

The Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) identified a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS), designated as CVE-2025-29824. This vulnerability has been exploited by the PipeMagic malware, attributed to the group Storm-2460, affecting organizations in various sectors across the U.S., Venezuela, Spain, and Saudi Arabia. Microsoft released security updates on April 8, 2025, to address this vulnerability. The exploit allows attackers with standard user privileges to escalate their access, and it was executed from a dllhost.exe process. The exploit utilizes memory corruption techniques and the RtlSetAllBits API to gain all privileges and inject processes into SYSTEM processes. Post-exploitation, the attackers injected a payload into winlogon.exe, leading to ransomware activity characterized by file encryption and the creation of ransom notes. Indicators of compromise include the creation of a CLFS BLF file at C:ProgramDataSkyPDFPDUDrv.blf, command lines associated with ransomware activities, and specific domains linked to PipeMagic. Microsoft advises applying security updates promptly and recommends strategies for mitigating ransomware threats, including enabling cloud-delivered protection and utilizing device discovery.

Winsage

April 9, 2025

Windows Common Log File System 0-Day Vulnerability Exploited in the Wild

A critical zero-day vulnerability in the Windows Common Log File System (CLFS) driver, identified as CVE-2025-29824, is actively exploited, allowing attackers to elevate privileges to SYSTEM level and compromise system integrity. This flaw arises from a use-after-free issue within the CLFS driver, enabling local attackers to execute malicious code. Microsoft is aware of the exploitation and is working on a security update, but no immediate patch is available. The vulnerability affects multiple versions of Windows 10, including x64-based and 32-bit systems, and can lead to privilege escalation, data breaches, operational disruption, and malware deployment. Microsoft has classified this vulnerability as "Important" and urges organizations to apply patches promptly once available.

Winsage

April 9, 2025

Microsoft: Windows CLFS zero-day exploited by ransomware gang

Microsoft reported that the RansomEXX ransomware gang has been exploiting a critical zero-day vulnerability in the Windows Common Log File System, identified as CVE-2025-29824, allowing them to gain SYSTEM privileges on targeted systems. This vulnerability stems from a use-after-free flaw and affects organizations in various sectors, including IT and real estate in the US, financial institutions in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia. Microsoft has released security updates for most affected Windows versions but has postponed patches for Windows 10 x64 and 32-bit systems. Customers running Windows 11, version 24H2, are not vulnerable to the exploitation. The RansomEXX group, also known as Storm-2460, uses the PipeMagic backdoor malware to facilitate the exploitation of CVE-2025-29824, alongside ransomware payloads. The group has targeted high-profile organizations, including GIGABYTE, Konica Minolta, the Texas Department of Transportation, Brazil's court system, Montreal's STM public transport system, and government software provider Tyler Technologies.

Winsage

April 8, 2025

Microsoft fixes actively exploited Windows CLFS zero-day (CVE-2025-29824)

April 2025 Patch Tuesday introduced fixes for over 120 vulnerabilities, including a critical zero-day vulnerability (CVE-2025-29824) that is actively exploited. CVE-2025-29824 is a user-after-free vulnerability in the Windows Common Log File System (CLFS), allowing privilege escalation to SYSTEM on compromised Windows machines. Microsoft has patched 32 CLFS vulnerabilities since 2022, with six exploited in the wild. Updates for Windows 10 are not yet available. Other notable vulnerabilities include CVE-2025-26663 and CVE-2025-26670, both unauthenticated user-after-free vulnerabilities in Windows LDAP, and CVE-2025-27480 and CVE-2025-27482 in Windows Remote Desktop Services. None of these vulnerabilities have been patched for Windows 10 systems, but updates are forthcoming. Microsoft reversed its decision to discontinue driver update synchronization to WSUS servers, confirming that WSUS will continue to synchronize driver updates.

Tech Optimizer

March 28, 2025

Why SQL Server Is Still Worth It — Redmondmag.com

SQL Server Enterprise Edition costs approximately ,000 per CPU core, with an additional 23 percent for Software Assurance. SQL Server provides a mature solution for high availability and backups, integrating seamlessly with Windows Server Failover Clustering. PostgreSQL offers three primary backup methods: SQL dump, file system-level backup (requiring database shutdown), and continuous archiving, with the latter being complex to implement. SQL Server typically offers more integrated features out of the box, such as temporal tables and graph databases, while PostgreSQL requires extensions. SQL Server caches execution plans, which can reduce CPU usage but may lead to suboptimal plans. SQL Server Management Studio (SSMS) provides a superior user experience compared to PGAdmin. SQLPackage for SQL Server is considered better than available options for PostgreSQL, and the SQL Server community is noted for its support and engagement.

Winsage

March 28, 2025

Microsoft’s ReFS file system resurfaces in latest Windows 11 build

Microsoft's Resilient File System (ReFS) was introduced in 2012 with Windows Server 2012 and has been relatively obscure compared to NTFS. It has recently emerged as an optional feature in a preview build of Windows 11 (Build 27823), allowing users to format partitions with a "Flexible Storage" option, offering a choice between NTFS and ReFS. ReFS is designed for larger storage capacities, can format partitions up to 35 petabytes, and supports single files as large as the entire volume. It includes advanced features like block cloning and file-level snapshots but lacks support for certain NTFS functionalities such as bootable volumes and file compression. Currently, ReFS is primarily aimed at enterprise and server environments, but its inclusion in Windows 11 may indicate plans for broader consumer access. The open-source community is developing unofficial documentation for ReFS, and Paragon Software has created a closed-source ReFS driver.

Winsage

March 19, 2025

How to transfer your Windows 11 setup to a new hard drive — no extra app required

Users of Windows 11 may need to upgrade their hard drive due to space constraints or the drive nearing the end of its lifespan, typically within three to five years. They can create a system image backup using the Backup and Restore feature in Windows 11. To create a system image, users must access the Control Panel, navigate to System and Security, and select "Create a system image." The backup can be saved on a hard disk, and users can choose to include additional drives. To create a USB bootable media for recovery, users should visit the Windows 11 download page, download the Media Creation Tool, and follow the prompts to create a USB flash drive. Replacing the hard drive involves powering down the computer, removing the cover, disconnecting cables, and installing the new drive. After installation, users can restore the previous Windows 11 installation from the system image backup by booting from the USB drive and selecting "System Image Recovery." If the new drive has unallocated space, users can create a new partition or expand the existing setup partition. To create a data partition, users can access Settings, navigate to Storage, and create a new volume from unallocated space. To expand the setup partition, users must delete the recovery partition, extend the installation drive, and recreate the recovery partition using Command Prompt and Disk Management. Finally, users should re-enable BitLocker after completing these processes.