In a landscape already fraught with security challenges, Microsoft has inadvertently added to the concerns of its vast user base. With the prevalence of infostealer malware targeting Windows passwords and the alarming rise in reported vulnerabilities, the last thing the billion users of this operating system needed was news that a recent security update might have introduced new risks.
The Windows Security Update Disaster Just Got Even Worse
As a long-time advocate for timely security updates, I often emphasize the importance of keeping software current. Whether it’s the latest emergency patch for Google Chrome or the routine Patch Tuesday updates aimed at addressing zero-day vulnerabilities, my mantra remains consistent: update now. However, there are times when the early adopter finds themselves with a less-than-desirable outcome. Take, for instance, the recent update that disrupted Microsoft’s Windows Hello security feature, or the troubling April 8 update intended to mitigate the CVE-2025-21204 vulnerability, which inadvertently created a mysterious folder that fueled rampant speculation.
In response to the uproar, Microsoft issued a clarification, asserting that the folder—dubbed inetpub—was essential for protecting users from potential attacks exploiting the vulnerability. The company urged users not to delete it, despite the swirling rumors on social media. This folder has now become central to the latest warning from a reputable security researcher, Kevin Beaumont, who previously worked for Microsoft.
Beaumont has raised alarms about a new vulnerability introduced by this fix, stating, “I’ve discovered this fix introduces a denial of service vulnerability in the Windows servicing stack that allows non-admin users to stop all future Windows security updates.”
The Microsoft Response To The Windows Folder Security Update Threat
In light of these developments, I reached out to Microsoft for an official comment. The response shared with Beaumont indicated that, after a thorough investigation, the issue was classified as moderate in severity. Microsoft noted that the update would only fail to apply if the ‘inetpub’ folder was a junction to a file, suggesting that deleting the inetpub symlink and retrying would allow the update to succeed.
Furthermore, Microsoft assured Beaumont that the report had been forwarded to the appropriate Windows security team for consideration of a potential fix. However, for the time being, the matter appears to be closed.
