Kevin Beaumont Archives

Winsage

October 25, 2025

Windows Server WSUS bug exploits underway, Microsoft’s mum

A critical vulnerability in Microsoft Windows Server Update Services (WSUS), identified as CVE-2025-59287, has a CVSS score of 9.8 out of 10 and affects Windows Server versions from 2012 to 2025. The vulnerability arises from the insecure deserialization of untrusted data, allowing unauthenticated attackers to execute arbitrary code on compromised systems. Servers without the WSUS role enabled are unaffected. Microsoft issued a patch on October 14, which did not fully resolve the issue, leading to an emergency update. Security researcher Kevin Beaumont reported that he could manipulate the second patch, raising concerns about the delivery of malicious updates. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-59287 to its Known Exploited Vulnerabilities catalog, while the Dutch National Cybersecurity Center issued alerts about ongoing exploitation activities. Private security firms, including Huntress and watchTowr, reported targeted attacks on WSUS instances, with fewer than 25 susceptible hosts identified. WatchTowr's CEO warned that any unpatched WSUS instance online is likely compromised, urging organizations to reassess their security posture.

Winsage

June 9, 2025

Microsoft: Remedy for security vulnerability due to deleted “inetpub” folder

A recent Microsoft security update has created a new folder named "inetpub" on Windows systems, which is essential for system security. If users delete this folder, it can lead to significant vulnerabilities. Microsoft has released a Powershell script, Set-InetpubFolderAcl.ps1, to restore the "inetpub" folder and set the correct permissions. Systems that installed the April security update (KB5055528) must take immediate action if the "inetpub" directory is missing. The script also updates access rights for the "DeviceHealthAttestation" directory, if it exists. Administrative rights are required to run the script. This issue was highlighted by IT security researcher Kevin Beaumont, who noted that deleting the "inetpub" folder could disrupt the installation of future security updates.

Winsage

June 6, 2025

Microsoft shares script to restore inetpub folder you shouldn’t delete

Microsoft has released a PowerShell script to help restore the C:Inetpub folder, which is crucial for addressing a high-severity privilege escalation vulnerability associated with Windows Process Activation. The folder's unexpected appearance after the April 2025 Windows security updates led some users to delete it, inadvertently exposing their systems to vulnerabilities. Microsoft emphasizes that the folder should not be deleted, as it is integral to the security framework, regardless of whether Internet Information Services (IIS) is active. The script allows administrators to recreate the folder with the correct permissions and access control settings.

AppWizard

May 22, 2025

Signal resorts to “weird trick” to block Windows Recall in Desktop app

Microsoft's Recall feature indexes a wide range of personal data, including Zoom meetings, emails, photos, medical conditions, and conversations on Signal, affecting both users and their contacts without consent. Researcher Kevin Beaumont found that the feature captures sensitive information like payment card details and can decrypt its database using a fingerprint scan or PIN. Developers, such as those at Signal, lack tools to prevent their content from being indexed by Recall, leading Signal to utilize a Digital Rights Management API to protect privacy. This workaround may help, but it depends on all chat participants using the Windows Desktop version with default settings. Microsoft has not addressed concerns regarding developer control over Recall.

Winsage

May 14, 2025

Microsoft Confirms Windows Upgrade Choice—You Must Now Decide

Microsoft has released a mandatory update for Windows 11, identified as “KB5058411,” which includes essential security fixes and introduces a new feature called Recall. Recall uses artificial intelligence to capture snapshots of the user's screen at regular intervals, creating a photographic memory of digital interactions. Users will be prompted to enable Recall during the installation of the May 2025 Windows 11 24H2 update, and opting in for the first time simplifies future re-enabling. However, enabling Recall raises privacy concerns, as it records activities and communications from secure messaging platforms like WhatsApp and Signal, potentially exposing sensitive information. A user reported that someone was able to access his entire PC history, including deleted messages, highlighting the vulnerabilities associated with the feature. Users are advised to carefully consider the implications of opting into Recall.

Winsage

May 2, 2025

Windows Recall Is Back (but Should You Use It?)

Windows Recall, an AI-driven feature by Microsoft, was initially launched in July but withdrawn due to security and privacy concerns. It has since returned with modifications aimed at improving user experience, although concerns about its functionality persist. Recall captures and analyzes screenshots of user activities to aid in retrieving past documents or messages. Users must have a Copilot+ PC to access Recall, which is not activated by default. Security enhancements include encrypted data storage and mandatory Windows Hello authentication for access. However, issues remain, such as potential access via a computer PIN, inconsistent filtering of sensitive data, and the risk of data being captured from shared devices. Users can exempt specific sites and apps from being captured, but the process is cumbersome.

Winsage

April 30, 2025

A mysterious new Windows 11 folder appeared – and now there’s a new exploit

Windows 11 users encountered the "inetpub" folder after the April 2023 update (KB5055523), which is a crucial component for addressing the security vulnerability CVE-2025-21204. Microsoft stated that the folder should not be removed, as it helps manage Windows Update security vulnerabilities by preventing unauthorized control through symbolic links. However, cybersecurity expert Kevin Beaumont revealed that the same patch introduced a new vulnerability that could allow remote exploitation, prompting Microsoft to acknowledge this issue with a "Moderate" status and indicate that a fix is forthcoming. Users are advised to keep their systems updated and not delete the "inetpub" folder. If the folder is deleted, it can be restored by enabling Internet Information Services in the Control Panel.

Winsage

April 29, 2025

Microsoft’s AI Secretly Copying All Your Private Messages

Microsoft is relaunching its AI-driven feature, Recall, which continuously captures background screenshots on Copilot+ PCs optimized for AI functionalities. Initially introduced in May, Recall was retracted due to privacy concerns over unencrypted storage of screenshots containing sensitive user data. After testing through Microsoft's Insider program, Recall has been updated to encrypt the screenshot database and requires users to opt in to save screenshots. However, it still poses risks by potentially capturing sensitive information from communications without the knowledge of other parties involved. Security researcher Kevin Beaumont has noted that the sensitive information filter is unreliable, and the encrypted database is only secured by a basic four-digit PIN. Beaumont's testing revealed that Recall indexed everything it stored, including ephemeral messages and images. He cautioned users to check if Recall is enabled when discussing sensitive topics with others on Windows PCs.

Winsage

April 27, 2025

New Security Warning After 1 Billion Windows Users Told Do Not Delete

Microsoft's recent security update for Windows has raised concerns among users due to the introduction of a new vulnerability. The update, intended to address the CVE-2025-21204 vulnerability, inadvertently created a folder named inetpub, which Microsoft claims is essential for user protection. Security researcher Kevin Beaumont has warned that this update has introduced a denial of service vulnerability that allows non-admin users to halt future Windows security updates. Microsoft has classified the issue as moderate in severity and suggested that deleting the inetpub symlink and retrying the update may resolve the problem. The report has been forwarded to the Windows security team for potential further action.

Winsage

April 25, 2025

Windows “inetpub” security fix can be abused to block future updates

A recent Microsoft security update has created a new 'inetpub' folder in the root of the system drive, linked to a fix for a Windows Process Activation elevation of privilege vulnerability (CVE-2025-21204). This folder has appeared on systems without Internet Information Services (IIS) installed. Microsoft advises users not to delete the folder, as it enhances system protection. However, cybersecurity expert Kevin Beaumont has shown that the 'inetpub' folder can be manipulated by non-administrative users to create a junction that redirects to a Windows file, potentially obstructing future Windows updates and resulting in a 0x800F081F error code. Microsoft has classified this issue as "Medium" severity and has closed the case, indicating it may be addressed in future updates.