Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/wdormann/statuses/114319298184663571">Will Dormann (wdormann@infosec.exchange)'s status on Friday, 11-Apr-2025 21:29:32 JST</a><a href="https://infosec.exchange/@wdormann" title="wdormann@infosec.exchange"><img src="https://gnusocial.jp/avatar/232810-48-20240116185707.webp" width="48" height="48" alt="Will Dormann" style="position: absolute; left: 0; top: 0;">Will Dormann</a><div><ul><li><li><a href="https://gnusocial.jp/user/340058" title="busta@infosec.exchange">Busta</a></li></ul></div></section><article><p><a href="https://cyberplace.social/@GossiTheDog" rel="nofollow">@GossiTheDog</a> <a href="https://infosec.exchange/@Busta">@Busta</a> <br>Hilarious.<br>The two things that MSRC seems to aim to to achieve are:</p><ol><li>Avoid saying anything about what their security updates do unless their hand is forced.</li><li>Take the path of "least resistance" as opposed to fixing the root cause of problems. (In this case, non-admins can create subdirectories directly off of C:\)</li></ol><p><a href="https://infosec.exchange/@wdormann/114319281111054638">https://infosec.exchange/@wdormann/114319281111054638</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4873716#notice-9554409">In conversation</a><time datetime="2025-04-11T21:29:32+09:00" title="Friday, 11-Apr-2025 21:29:32 JST">about a month ago</time> <span>from <span><a href="https://infosec.exchange/@wdormann/114319298184663571" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@wdormann/114319298184663571">permalink</a><h4>Attachments</h4><ol><li><article><header><div>Domain not in remote thumbnail source whitelist: media.infosec.exchange</div><h5><a href="https://infosec.exchange/@wdormann/114319281111054638">Will Dormann (@wdormann@infosec.exchange)</a></h5><div> from <span>Will Dormann</span></div></header><div>Attached: 2 imagesSo, apparently this is the "fix" for [CVE-2025-21204](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21204).  Microsoft recently updated their advisory to say what the update does.Prior to everybody freaking out, the advisory for CVE-2025-21204 said nothing about what it does.Two gripes:
1. MSRC publishing content-free advisories has consequences, but they never seem to appreciate this.
2. I told MSRC **YEARS AGO** that they can avoid an entire class of LPE vulnerabilities in 3rd-party software **and** their own software by not allowing non-admin users to be able to create directories off of `C:\`.  They refused to make any change because it might "break things".Great job, folks.</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Will Dormann (wdormann@infosec.exchange)'s status on Friday, 11-Apr-2025 21:29:32 JSTWill Dormann
- Kevin Beaumont
- Busta
@GossiTheDog @Busta
Hilarious.
The two things that MSRC seems to aim to to achieve are:
1. Avoid saying anything about what their security updates do unless their hand is forced.
2. Take the path of "least resistance" as opposed to fixing the root cause of problems. (In this case, non-admins can create subdirectories directly off of C:\)
https://infosec.exchange/@wdormann/114319281111054638
In conversationabout a month ago from infosec.exchangepermalink
Attachments
1. Domain not in remote thumbnail source whitelist: media.infosec.exchange
  Will Dormann (@wdormann@infosec.exchange)
  from Will Dormann
  Attached: 2 images So, apparently this is the "fix" for [CVE-2025-21204](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21204). Microsoft recently updated their advisory to say what the update does. Prior to everybody freaking out, the advisory for CVE-2025-21204 said nothing about what it does. Two gripes: 1. MSRC publishing content-free advisories has consequences, but they never seem to appreciate this. 2. I told MSRC **YEARS AGO** that they can avoid an entire class of LPE vulnerabilities in 3rd-party software **and** their own software by not allowing non-admin users to be able to create directories off of `C:\`. They refused to make any change because it might "break things". Great job, folks.

Public

Embed Notice

HTML Code

Corresponding Notice