Kevin Beaumont Archives

AppWizard

May 22, 2025

Signal resorts to “weird trick” to block Windows Recall in Desktop app

Microsoft's Recall feature indexes a wide range of personal data, including Zoom meetings, emails, photos, medical conditions, and conversations on Signal, affecting both users and their contacts without consent. Researcher Kevin Beaumont found that the feature captures sensitive information like payment card details and can decrypt its database using a fingerprint scan or PIN. Developers, such as those at Signal, lack tools to prevent their content from being indexed by Recall, leading Signal to utilize a Digital Rights Management API to protect privacy. This workaround may help, but it depends on all chat participants using the Windows Desktop version with default settings. Microsoft has not addressed concerns regarding developer control over Recall.

Winsage

May 14, 2025

Microsoft Confirms Windows Upgrade Choice—You Must Now Decide

Microsoft has released a mandatory update for Windows 11, identified as “KB5058411,” which includes essential security fixes and introduces a new feature called Recall. Recall uses artificial intelligence to capture snapshots of the user's screen at regular intervals, creating a photographic memory of digital interactions. Users will be prompted to enable Recall during the installation of the May 2025 Windows 11 24H2 update, and opting in for the first time simplifies future re-enabling. However, enabling Recall raises privacy concerns, as it records activities and communications from secure messaging platforms like WhatsApp and Signal, potentially exposing sensitive information. A user reported that someone was able to access his entire PC history, including deleted messages, highlighting the vulnerabilities associated with the feature. Users are advised to carefully consider the implications of opting into Recall.

Winsage

May 2, 2025

Windows Recall Is Back (but Should You Use It?)

Windows Recall, an AI-driven feature by Microsoft, was initially launched in July but withdrawn due to security and privacy concerns. It has since returned with modifications aimed at improving user experience, although concerns about its functionality persist. Recall captures and analyzes screenshots of user activities to aid in retrieving past documents or messages. Users must have a Copilot+ PC to access Recall, which is not activated by default. Security enhancements include encrypted data storage and mandatory Windows Hello authentication for access. However, issues remain, such as potential access via a computer PIN, inconsistent filtering of sensitive data, and the risk of data being captured from shared devices. Users can exempt specific sites and apps from being captured, but the process is cumbersome.

Winsage

April 30, 2025

A mysterious new Windows 11 folder appeared – and now there’s a new exploit

Windows 11 users encountered the "inetpub" folder after the April 2023 update (KB5055523), which is a crucial component for addressing the security vulnerability CVE-2025-21204. Microsoft stated that the folder should not be removed, as it helps manage Windows Update security vulnerabilities by preventing unauthorized control through symbolic links. However, cybersecurity expert Kevin Beaumont revealed that the same patch introduced a new vulnerability that could allow remote exploitation, prompting Microsoft to acknowledge this issue with a "Moderate" status and indicate that a fix is forthcoming. Users are advised to keep their systems updated and not delete the "inetpub" folder. If the folder is deleted, it can be restored by enabling Internet Information Services in the Control Panel.

Winsage

April 29, 2025

Microsoft’s AI Secretly Copying All Your Private Messages

Microsoft is relaunching its AI-driven feature, Recall, which continuously captures background screenshots on Copilot+ PCs optimized for AI functionalities. Initially introduced in May, Recall was retracted due to privacy concerns over unencrypted storage of screenshots containing sensitive user data. After testing through Microsoft's Insider program, Recall has been updated to encrypt the screenshot database and requires users to opt in to save screenshots. However, it still poses risks by potentially capturing sensitive information from communications without the knowledge of other parties involved. Security researcher Kevin Beaumont has noted that the sensitive information filter is unreliable, and the encrypted database is only secured by a basic four-digit PIN. Beaumont's testing revealed that Recall indexed everything it stored, including ephemeral messages and images. He cautioned users to check if Recall is enabled when discussing sensitive topics with others on Windows PCs.

Winsage

April 27, 2025

New Security Warning After 1 Billion Windows Users Told Do Not Delete

Microsoft's recent security update for Windows has raised concerns among users due to the introduction of a new vulnerability. The update, intended to address the CVE-2025-21204 vulnerability, inadvertently created a folder named inetpub, which Microsoft claims is essential for user protection. Security researcher Kevin Beaumont has warned that this update has introduced a denial of service vulnerability that allows non-admin users to halt future Windows security updates. Microsoft has classified the issue as moderate in severity and suggested that deleting the inetpub symlink and retrying the update may resolve the problem. The report has been forwarded to the Windows security team for potential further action.

Winsage

April 25, 2025

Windows “inetpub” security fix can be abused to block future updates

A recent Microsoft security update has created a new 'inetpub' folder in the root of the system drive, linked to a fix for a Windows Process Activation elevation of privilege vulnerability (CVE-2025-21204). This folder has appeared on systems without Internet Information Services (IIS) installed. Microsoft advises users not to delete the folder, as it enhances system protection. However, cybersecurity expert Kevin Beaumont has shown that the 'inetpub' folder can be manipulated by non-administrative users to create a junction that redirects to a Windows file, potentially obstructing future Windows updates and resulting in a 0x800F081F error code. Microsoft has classified this issue as "Medium" severity and has closed the case, indicating it may be addressed in future updates.

Winsage

April 25, 2025

Microsoft’s Patch for Symlink Vulnerability Introduces New Windows Denial-of-Service Flaw

In early April 2025, Microsoft addressed a security vulnerability (CVE-2025-21204) related to symbolic links in the Windows servicing stack, specifically affecting the c:inetpub directory used by Internet Information Services (IIS). The updates created the c:inetpub folder with appropriate permissions to mitigate risks. However, this fix introduced a new denial-of-service (DoS) vulnerability, allowing non-administrative users to create junction points on the c: drive, disrupting the Windows Update mechanism. A command such as "mklink /j c:inetpub c:windowssystem32notepad.exe" could be used to exploit this flaw, preventing systems from receiving future security patches. As of April 25, Microsoft had not released a patch or acknowledged the issue, leaving systems vulnerable and emphasizing the need for monitoring user permissions and manually removing suspicious symlinks.

Winsage

April 24, 2025

Microsoft mystery folder fix might need a fix of its own

Microsoft's recent patch for CVE-2025-21204 inadvertently reintroduced the inetpub folder at c:inetpub as part of its mitigation strategy, raising concerns among system administrators. Security researcher Kevin Beaumont discovered that this folder created a new vulnerability when he used the mklink command with the /j parameter to redirect the folder to a system executable (notepad.exe). This allowed standard users to prevent Windows updates without administrative rights, as the command could be executed on default-configured systems. Beaumont has notified Microsoft of this vulnerability, but the company has not yet responded.

Winsage

April 24, 2025

An empty folder in Windows that «cannot be deleted» can permanently block OS updates

The inetpub folder, introduced in the April update of Windows 11 (version 24H2) as part of a fix for the CVE-2025-21204 vulnerability, has raised concerns among security researchers. It can be manipulated to block Windows updates without administrative rights by creating a symbolic link to notepad.exe, which can lead to a rollback of patches and leave the system vulnerable. Microsoft has not yet responded to this issue, and the possibility of a patch to address the new vulnerability is still open.