In a recent turn of events, Microsoft’s latest update aimed at addressing a security vulnerability has inadvertently given rise to a new concern. The update, designed to mitigate a flaw that allowed attackers to escalate their privileges within Windows operating systems, has resulted in the creation of an “inetpub” folder on the system drive. This unexpected development has caught the attention of prominent IT security researcher Kevin Beaumont, who has detailed the implications of this change in a recent blog post.
The patch, released on April Patchday, targets a specific issue identified by the CVE entry CVE2025-2104, which relates to the improper resolution of links, commonly referred to as “link following.” Unfortunately, this fix has opened a door for potential misuse, as Beaumont highlights the risks associated with the new folder.
Shortcut paralyzes Windows Update
Windows has long recognized the concept of “junctions” or shortcuts, a feature dating back to Windows 2000. These junctions allow one directory to serve as an alias for another, enabling users to redirect access seamlessly. For instance, a directory like “D:Win” can point to “C:WinntSystem32,” allowing access to files in a different location. Beaumont notes that even non-administrative users can create such junctions within the system drive C:.
By executing the command mklink /j c:inetpub c:windowssystem32notepad.exe, a user can establish a link that redirects to the newly created “inetpub” folder. Beaumont warns that this action could lead to failures in installing Windows updates, not only for the April patch but potentially for future updates as well. Such failures may result in a rollback, leaving users without essential security updates. Beaumont reached out to Microsoft regarding this issue two weeks ago but has yet to receive a response.
Last week, the emergence of the “C:inetpub” folder was noted on various Windows systems, particularly those that did not previously have Microsoft’s Internet Information Services (IIS) activated. In response, Microsoft stated, “This folder should not be deleted, regardless of whether Internet Information Services (IIS) is enabled on the target device. This behavior is part of changes that increase protection and requires no action by IT administrators or end users.”
URL of this article:
https://www.heise.de/-10360485
Links in this article:
[1] Link to Beaumont's blog post
[2] Link to Microsoft vulnerability details
[3] <a href="https://aktionen.heise.de/heise-security-pro?LPID=39555HS1L0001274169990&wtmc=disp.fd.security-pro.securitypro24.disp.disp.disp">Link to Heise Security Pro
[4] Email contact
[5] Follow on Facebook
[6] Follow on LinkedIn
[7] Follow on Twitter
[8] Link to related news article
Copyright © 2025 Heise Medien
