A recent Microsoft security update, intended to patch a critical privilege escalation vulnerability, has inadvertently introduced a new and significant flaw.\u00a0<\/p>\n
The fix now enables non-administrative users to effectively block all future Windows security updates, creating a denial-of-service<\/a> condition.\u00a0<\/p>\n This unintended consequence of the patch highlights the complexities of software security and the persistent challenge of preventing unforeseen vulnerabilities.<\/p>\n In April 2025, Microsoft released security updates to address CVE-2025-21204<\/a>, a vulnerability rated as \u201cImportant\u201d with a CVSS 3.1 score of 7.8.\u00a0<\/p>\n The flaw involved improper link resolution before file access (\u2018link following\u2019) in the Windows Update Stack that allowed an authorized attacker to escalate privileges locally.<\/p>\n To mitigate this vulnerability, Microsoft implemented a fix that automatically creates a folder named \u201cinetpub<\/a>\u201d on the system drive of all Windows systems, regardless of whether Internet Information Services (IIS)<\/a> is installed.\u00a0<\/p>\n Microsoft explicitly warned users not to delete this folder, as it\u2019s an integral part of the security enhancement.<\/p>\n Security researcher Kevin Beaumont has discovered that this fix introduces a denial of service vulnerability that allows non-administrator users to block Windows security updates permanently.\u00a0<\/p>\n Beaumont found that through a simple command line operation, users can create a junction point (a type of file system redirection in Windows) that breaks the update mechanism.<\/p>\n \u201cNon-admin (and admin) users can create junction points in c:\u201d Beaumont explained in his research.\u00a0 The exploitation method requires nothing more than standard user privileges and basic command line access.<\/p>\n The vulnerability can be exploited through a simple command that creates a symbolic link between the protected inetpub folder and a system file:<\/p>\n This command creates a junction that redirects c:inetpub to Windows Notepad. Once this junction is established, Windows Update encounters errors when trying to interact with the folder, causing updates to fail or roll back.<\/p>\n \u201cAfter that point, the April 2025 Windows OS<\/a> update (and future updates, unless Microsoft fix it) fail to ever install \u2014 they error out and\/or roll back. So you just go without security updates,\u201d Beaumont noted.<\/p>\n The most concerning aspect of this vulnerability is that it doesn\u2019t require administrative privileges to exploit.\u00a0<\/p>\n Standard users can create these junction points on many default-configured systems, potentially preventing critical security updates from being installed system-wide.<\/p>\n This isn\u2019t merely a temporary denial of service \u2013 it\u2019s a persistent issue that continues until someone manually resolves the junction or reinstalls the system.\u00a0<\/p>\n Security experts warn that this could be easily scripted and deployed by malware or malicious actors seeking to keep systems vulnerable to other exploits.<\/p>\n Beaumont reported<\/a> his findings to Microsoft\u2019s Security Response Center approximately two weeks ago but has yet to receive a response.\u00a0<\/p>\n Until Microsoft addresses this issue, system administrators are advised to monitor the system drive for unusual junction points.<\/p>\n Are you from the SOC and DFIR Teams? \u2013 Analyse Malware Incidents & get live Access with ANY.RUN ->\u00a0Start Now for Free<\/a>.<\/strong><\/p>\n The post Microsoft\u2019s Symlink Patch Created New Windows DoS Vulnerability<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nSymlink vulnerability and Microsoft\u2019s Fix<\/strong><\/h2>\n
The New DoS Vulnerability<\/strong><\/h2>\n
![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXdASDA8vfQq1S1K4swO3gfwcT3HqEexWoS2Vtzk0w3EKbkALCaTwEJSX7rwCXyFuQVcH4qC8bJBTSm_RkFWclhYfDw0ROD24ZFz81ncC2nKbqxRaq42nAiJHR1AodHVvwNY5TT_EQ?key=7EkEuLkxeJOxnctNqrMzjm_M\")