Will Dormann (wdormann@infosec.exchange)'s status on Friday, 11-Apr-2025 05:29:26 JST

@GossiTheDog
Ah, you'd think that you couldn't.
But indeed you can!
That is, a non-admin user can create a "directory" junction to a file target, which will have the result of April's security updates failing to install. 😂

It seems that this weird concept of a junction to a file achieves an unexpected double-standard:

1. It counts as a directory when it comes to NTFS ACLs (a non-admin user can create a junction in C:\)
2. Depending on how the junction is accessed, it might count as a file as opposed to being treated as a directory.

This seems like a problem. Obviously in the case of April's updates here. But perhaps even more generically in that a junction to a file target seems to almost guarantee unexpected behavior.