Conversation

Notices

1. Embed this notice
   Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 22-Apr-2025 23:23:25 JST Kevin Beaumont

   I've written about how Microsoft's fix for a symlink vulnerability introduces another symlink vulnerability, where all users (including non-admins) can stop all future Windows OS security patches https://doublepulsar.com/microsofts-patch-for-cve-2025-21204-symlink-vulnerability-introduces-another-symlink-vulnerability-9ea085537741

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 23-Apr-2025 04:32:22 JST Kevin Beaumont

     in reply to

     • James Forshaw :donor:

     @tiraniddo

   • Embed this notice
     James Forshaw :donor: (tiraniddo@infosec.exchange)'s status on Wednesday, 23-Apr-2025 04:32:23 JST James Forshaw :donor:

     in reply to

     @GossiTheDog I still can't quite believe _this_ was their fix.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 23-Apr-2025 22:28:10 JST Kevin Beaumont

     in reply to

     There are multiple write ups of the original vuln, I’ve pasted the wrong one into the post so apologies, I’ll go back and fix it. Somehow linked AI slop it appears.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 25-Apr-2025 20:10:49 JST Kevin Beaumont

     in reply to

     Microsoft have rated the ability for non-admin users to stop Windows patching as a moderate issue and closed the case.

     EDR providers, including Microsoft, probably want to add signatures for junction points from \inetpub being created on boot drive as it doesn’t look like this will be fixed any time soon.

   • Embed this notice
     fuzzyfuzzyfungus (fuzzyfuzzyfungus@cyberplace.social)'s status on Friday, 25-Apr-2025 22:51:14 JST fuzzyfuzzyfungus

     in reply to

     @GossiTheDog By this logic is there any vulnerability that would be more than moderate?

     All you ever need to do to fix sabotage is identify and revert all malicious changes(the details are left as an exercise for the reader); and your system is implemented on a computer built from reality, even if your RAM and block device budgets are large; so the hamming distance between the compromised state and the correct state will be finite. What more could you need?

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 26-Apr-2025 07:31:47 JST Kevin Beaumont

     in reply to

     • Joel Michael

     @jpm MSRC doesn’t work like that, they wouldn’t keep it open

   • Embed this notice
     Joel Michael (jpm@aus.social)'s status on Saturday, 26-Apr-2025 07:31:48 JST Joel Michael

     in reply to

     @GossiTheDog “please keep this case open until the fix is delivered” “please transfer this case to the team responsible, and don’t close it until the fix is delivered” etc.

     Insisting that the ticket stays open will drive them nuts because eventually it’s a red light on someone’s dashboard, and it’ll get escalated after a while…

   • Embed this notice
     Joel Michael (jpm@aus.social)'s status on Saturday, 26-Apr-2025 08:01:21 JST Joel Michael

     in reply to

     @GossiTheDog I was able to keep a ticket open with Oracle for 2 years until a confirmed bug got fixed. Something along the lines of “we are tracking this ticket to ensure the fix is delivered, please keep it open until fixed” usually works pretty well.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 26-Apr-2025 08:01:21 JST Kevin Beaumont

     in reply to

     • Joel Michael

     @jpm MSRC ain’t Oracle 😅