Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/wdormann/statuses/114319281111054638">Will Dormann (wdormann@infosec.exchange)'s status on Thursday, 17-Apr-2025 22:53:56 JST</a><a href="https://infosec.exchange/@wdormann" title="wdormann@infosec.exchange"><img src="https://gnusocial.jp/avatar/232810-48-20240116185707.webp" width="48" height="48" alt="Will Dormann" style="position: absolute; left: 0; top: 0;">Will Dormann</a><div><a href="https://infosec.exchange/@wdormann/114308857330723919" rel="in-reply-to">in reply to</a></div></section><article><p>So, apparently this is the "fix" for <a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21204" rel="nofollow">CVE-2025-21204</a>.  Microsoft recently updated their advisory to say what the update does.</p><p>Prior to everybody freaking out, the advisory for CVE-2025-21204 said nothing about what it does.</p><p>Two gripes:</p><ol><li>MSRC publishing content-free advisories has consequences, but they never seem to appreciate this.</li><li>I told MSRC YEARS AGO that they can avoid an entire class of LPE vulnerabilities in 3rd-party software and their own software by not allowing non-admin users to be able to create directories off of C:\.  They refused to make any change because it might "break things".</li></ol><p>Great job, folks.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4869453#notice-9617288">In conversation</a><time datetime="2025-04-17T22:53:56+09:00" title="Thursday, 17-Apr-2025 22:53:56 JST">about 7 days ago</time> <span>from <span><a href="https://infosec.exchange/@wdormann/114319281111054638" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@wdormann/114319281111054638">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/4481131">https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21204
Before screenshot. No description of what changes.</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/319/275/744/743/060/original/dfdb200d561b058f.png" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/319/275/744/743/060/original/dfdb200d561b058f.png</a></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/4481132">Screenshot of current https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21204 
FAQ item added:Does installing the Windows security updates that address this CVE cause visible change on devices?After installing the updates listed in the Security Updates table for your operating system, a new %systemdrive%\inetpub folder will be created on your device. This folder should not be deleted regardless of whether Internet Information Services (IIS) is active on the target device. This behavior is part of changes that increase protection and does not require any action from IT admins and end users.</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/319/276/345/443/373/original/42bf117e3da87c7a.png" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/319/276/345/443/373/original/42bf117e3da87c7a.png</a></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Will Dormann (wdormann@infosec.exchange)'s status on Thursday, 17-Apr-2025 22:53:56 JST Will Dormann
in reply to
So, apparently this is the "fix" for CVE-2025-21204. Microsoft recently updated their advisory to say what the update does.
Prior to everybody freaking out, the advisory for CVE-2025-21204 said nothing about what it does.
Two gripes:
1. MSRC publishing content-free advisories has consequences, but they never seem to appreciate this.
2. I told MSRC YEARS AGO that they can avoid an entire class of LPE vulnerabilities in 3rd-party software and their own software by not allowing non-admin users to be able to create directories off of C:\. They refused to make any change because it might "break things".
Great job, folks.
In conversationabout 7 days ago from infosec.exchangepermalink
Attachments
1. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21204 Before screenshot. No description of what changes.
  https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/319/275/744/743/060/original/dfdb200d561b058f.png
2. Screenshot of current https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21204 FAQ item added: Does installing the Windows security updates that address this CVE cause visible change on devices? After installing the updates listed in the Security Updates table for your operating system, a new %systemdrive%\inetpub folder will be created on your device. This folder should not be deleted regardless of whether Internet Information Services (IIS) is active on the target device. This behavior is part of changes that increase protection and does not require any action from IT admins and end users.
  https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/319/276/345/443/373/original/42bf117e3da87c7a.png

Public

Embed Notice

HTML Code

Corresponding Notice