heise PlusAbo
Anzeige

Microsoft security patch opens up new security vulnerability

A Microsoft update to close a security gap creates the "inetpub" folder. And creates a new security vulnerability.

listen Print view
A monitor shows the Windows logo and a progress bar, in front of which a desperate monster is tearing his hair out

(Image: Erstellt mit KI in Bing Creator von heise online / dmk)

2 min. read
Security
By

Microsoft's developers are once again having bad luck with Windows updates. A patch that closes a security gap in Windows operating systems that allows attackers to extend their rights in the system creates the folder “inetpub” in the system drive. However, a renowned IT security researcher has discovered that this opens up a new vulnerability in the system.

IT security expert Kevin Beaumont has poured his findings into a blog post. The Microsoft patch to close a vulnerability with the CVE entry CVE2025-2104 was released on April Patchday. The problem that the update solves concerns the incorrect resolution of links (“link following”). However, such links can now be used for malicious purposes.

Shortcut paralyzes Windows Update

Windows has known so-called “junctions” as shortcuts since Windows 2000. One directory serves as an alias for another. For example, the directory “D:\Win” can refer to “C:\Winnt\System32”, and access to “D:\Win\Drivers” actually ends up in “C:\Winnt\System32\Drivers”. Beaumont points out that even non-admins are allowed to create such junctions in the system drive C:.

Videos by heise

By calling the command mklink /j c:\inetpub c:\windows\system32\notepad.exe, he creates such a link from “notepad.exe” to the directory “inetpub”. If he has created this shortcut, the installation of the Windows updates from April fails. According to Beaumont, this will also happen with future updates unless Microsoft solves the problem first. The installation fails and may trigger a rollback. In the end, those affected are left without security updates. Malicious actors could abuse this behavior. According to Kevin Beaumont, he contacted Microsoft about this two weeks ago, but received no response.

Read also

Last week, the “C:\inetpub” folder, which often appears on Windows systems on which no Microsoft web server (Internet Information Server, IIS) was previously active, was noticed. Microsoft wrote: “This folder should not be deleted, regardless of whether Internet Information Services (IIS) is enabled on the target device. This behavior is part of changes that increase protection and requires no action by IT administrators or end users.”

(dmk)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten