Can confirm running this command as a non-admin user breaks April 2025 Windows OS patch installing on Windows 10 and 11, tested on home, pro and enterprise SKUs.
mklink /j c:\inetpub c:\windows\system32\notepad.exe
Conversation
Notices
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 18-Apr-2025 05:07:58 JST 
Kevin Beaumont
-
Embed this notice
Polychrome :blabcat: (polychrome@poly.cybre.city)'s status on Thursday, 10-Apr-2025 23:42:28 JST 
Polychrome :blabcat:
@GossiTheDog wish I knew of this before the CoPilot update. Haelwenn /элвэн/ :triskell: likes this. -
Embed this notice
GeneralX (generalx@freeradical.zone)'s status on Friday, 11-Apr-2025 00:06:54 JST 
GeneralX
@GossiTheDog IIS is still a thing?
-
Embed this notice
A More Honest Dystopia (h2onolan@infosec.exchange)'s status on Friday, 11-Apr-2025 00:31:12 JST 
A More Honest Dystopia
@GossiTheDog okay but i now have an inetpub directory on a bunch of windows systems that was not there April 7.
-
Embed this notice
dave (hologram@cyberplace.social)'s status on Friday, 11-Apr-2025 00:37:18 JST 
dave
@GossiTheDog Very good, but what appalls me is "We noticed you regularly use your device between 3:00 PM and 8:00 AM". Who is "We"? The Queen of England? Fuck those people. One of many reason why I will not use windows, and why I will not sell myself out to solve any windows-specific problems. Windows Is the problem, to the extent it is not stolen property.
Do I forgive Dave Cutler for selling out? No I do not. I think he was top notch, the sellout to Gates = Fail -
Embed this notice
Fritz Adalis (fritzadalis@infosec.exchange)'s status on Friday, 11-Apr-2025 01:06:28 JST 
Fritz Adalis
@GossiTheDog
Can you do anything other than prevent installation? Maybe a hard link to system32 could break the machine if it changes the perms. Maybe a toctou bug, watch the ntfs journal until the folder is there then replace with a hard link? -
Embed this notice
DistroWatch (distrowatch@mastodon.social)'s status on Friday, 11-Apr-2025 01:50:47 JST 
DistroWatch
@GossiTheDog Windows allows non-admin users to create any folder they want in C: \ ?
That seems like a pretty big security issue on its own. -
Embed this notice
m1rk0 (m1rk0@defcon42.net)'s status on Friday, 11-Apr-2025 02:02:10 JST 
m1rk0
@GossiTheDog @distrowatch You can't, if the system is properly configured. By default i think you are right, but default is in most cases horseshit regardless of system or software. -
Embed this notice
Will Dormann (wdormann@infosec.exchange)'s status on Friday, 11-Apr-2025 03:35:47 JST 
Will Dormann
@GossiTheDog
Specifically, I've seen all April updates install even when C:\inetpub exists ahead of time.I should have known better than to attribute the correlation of C:\inetpub in a VM before updates to the causation of a failed update.
What happens with C:\inetpub is tough to see, as it either happens before the Procmon boot driver loads, or Procmon is otherwise foiled by the updates occurring. But either way, there's a bit of a blind spot between pre-reboot C:\inetpub not being there and it being there post-reboot. A Procmon boot log sees nothing. 😕
-
Embed this notice
Christian (chrst@lethallava.land)'s status on Friday, 11-Apr-2025 03:37:51 JST 
Christian
@GossiTheDog@cyberplace.social something something Junction Points something something…
-
Embed this notice
Will Dormann (wdormann@infosec.exchange)'s status on Friday, 11-Apr-2025 04:30:15 JST
Will Dormann
@GossiTheDog
Ah, that'd do it!
But at the same time, creating files in the root directory requires admin privileges.
And if you're a trigger-happy admin, there are plenty of footguns that you can use. 🤷♂️ -
Embed this notice
Will Dormann (wdormann@infosec.exchange)'s status on Friday, 11-Apr-2025 04:50:57 JST
Will Dormann
@GossiTheDog
You can?
Non-admin users don't have SeCreateSymbolicLinkPrivilege, so I don't believe you. 😀 -
Embed this notice
qdkp (qdkp@cyberplace.social)'s status on Friday, 11-Apr-2025 04:52:54 JST
qdkp
@wdormann @GossiTheDog Could you use a junction instead?
-
Embed this notice
Will Dormann (wdormann@infosec.exchange)'s status on Friday, 11-Apr-2025 05:00:25 JST
Will Dormann
@GossiTheDog
Just to be clear, while mklink /h can itself be used by a non-admin user, that same non-admin user would not be able to create a hard link in C:\ as that would be the same as creating a file there. Which non-admin users can't do. -
Embed this notice
Will Dormann (wdormann@infosec.exchange)'s status on Friday, 11-Apr-2025 05:29:26 JST
Will Dormann
@GossiTheDog
Ah, you'd think that you couldn't.
But indeed you can!
That is, a non-admin user can create a "directory" junction to a file target, which will have the result of April's security updates failing to install. 😂It seems that this weird concept of a junction to a file achieves an unexpected double-standard:
- It counts as a directory when it comes to NTFS ACLs (a non-admin user can create a junction in C:\)
- Depending on how the junction is accessed, it might count as a file as opposed to being treated as a directory.
This seems like a problem. Obviously in the case of April's updates here. But perhaps even more generically in that a junction to a file target seems to almost guarantee unexpected behavior.
-
Embed this notice
Busta (busta@infosec.exchange)'s status on Friday, 11-Apr-2025 21:09:29 JST 
Busta
@GossiTheDog @wdormann They updated the FAQ for CVE-2025-21204 saying that it's intended and shouldn't be deleted as it will increase the system protection, lol.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21204
-
Embed this notice
Will Dormann (wdormann@infosec.exchange)'s status on Friday, 11-Apr-2025 21:29:32 JST
Will Dormann
@GossiTheDog @Busta
Hilarious.
The two things that MSRC seems to aim to to achieve are:- Avoid saying anything about what their security updates do unless their hand is forced.
- Take the path of "least resistance" as opposed to fixing the root cause of problems. (In this case, non-admins can create subdirectories directly off of C:\)
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 18-Apr-2025 05:09:30 JST
Kevin Beaumont
Bonus points, if you run it from cmd.exe, it’s not logged in EDR products or detectable as mklinks is built into cmd.exe, doesn’t spawn another process.
-
Embed this notice
Carsten (cblte@nrw.social)'s status on Friday, 18-Apr-2025 06:26:32 JST 
Carsten
@GossiTheDog I am curios if this works on company provisioned laptops....
-
Embed this notice
dave (hologram@cyberplace.social)'s status on Friday, 18-Apr-2025 06:37:33 JST
dave
@GossiTheDog I used to care. Now, it's way past fuck Bill Gates and all Microsoft bullshit. Let it crash and burn. 🍺
-
Embed this notice
TechNomad (technomad@cyberplace.social)'s status on Friday, 18-Apr-2025 06:42:50 JST 
TechNomad
@GossiTheDog I completely deleted the Windows operating system 3 years ago. yes, I am a .net developer but I use jetbrains IDE. I don't care about windows ecosystem anymore.
-
Embed this notice
Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 18-Apr-2025 06:48:54 JST
Kevin Beaumont
I just realised my original thread on this auto deleted after a week, but it’s a vuln in Windows that MS introduced this month. I’ve reported it to MSRC. You can use it to stop Windows updates.
-
Embed this notice
Brian Clark (deepthoughts10@infosec.exchange)'s status on Friday, 18-Apr-2025 06:59:14 JST 
Brian Clark
@GossiTheDog I didn’t realize this part. It won’t show up in MDE logs?
-
Embed this notice
All GNU social JP content and data are available under the