Full Report
A recent Windows security update that creates an 'inetpub' folder has introduced a new weakness allowing attackers to prevent the installation of future updates. [...]
Analysis Summary
# Vulnerability: Windows Update Blocking via `inetpub` Junction Manipulation
## CVE Details
- CVE ID: Not explicitly provided in the article for this specific behavior.
- CVSS Score: Not explicitly provided. (Microsoft classified it as "Moderate severity" internally.)
- CWE: Missing (Likely related to Improper Restriction of Symbolic Links or Path Traversal if leveraged incorrectly by the servicing stack).
## Affected Systems
- Products: Windows Operating System (specifically the Windows Servicing Stack responsible for installing updates).
- Versions: Implied to affect systems vulnerable to the "April security update" installation failure, likely across multiple Windows versions where `inetpub` handling is inconsistent.
- Configurations: Any Windows system where a non-administrator user can successfully create a junction (symlink) pointing `C:\inetpub` to a file (e.g., `C:\windows\system32\notepad.exe`) before attempting to install an applicable Windows security update.
## Vulnerability Description
A security flaw exists wherein an attacker or malicious software, even without administrative privileges, can create a Junction Point (a type of symbolic link) via the `mklink /j` command, redirecting the standard `C:\inetpub` directory to point to a specific file (e.g., `C:\windows\system32\notepad.exe`).
The Windows servicing stack, when attempting to apply a security update (such as the April update mentioned), appears to expect `C:\inetpub` to be a directory. When it encounters a junction pointing to a file instead, the update process fails, typically resulting in the `0x800F081F` error (CBS\_E\_SOURCE\_MISSING), thereby preventing future updates from being installed correctly until the junction is removed.
## Exploitation
- Status: Successful local proof-of-concept demonstrated by researcher, but not noted as "Exploited in the wild."
- Complexity: Low (Requires only local access and the ability to run `mklink /j`, which standard users can often do depending on system configuration policies).
- Attack Vector: Local
## Impact
- Confidentiality: Negligible (Impact is on update mechanism integrity, not direct data access).
- Integrity: Medium (The ability to intentionally block the integrity/health functions of the operating system by preventing security updates).
- Availability: Medium (Prevents the system from receiving necessary security fixes and feature updates, leading to system degradation over time).
## Remediation
### Patches
- No specific CVE patch information is provided. Microsoft has acknowledged the issue and classified it as "Moderate severity," stating they will "consider fixing it in the future."
### Workarounds
1. **Delete the Junction:** The primary immediate workaround is to delete the malicious junction point created at `C:\inetpub`.
del c:\inetpub
*(Note: Ensure this resolves the issue before retrying the update)*
2. **Retry Update:** After deleting the junction, the necessary Windows update can be retried.
## Detection
- Indicators of Compromise:
- Presence of a file system object at `C:\inetpub` that reports as a junction/symlink.
- Failure to install Windows Updates reporting error code `0x800F081F`.
- Detection Methods and Tools:
- Inspecting the file system metadata of `C:\inetpub` to confirm it is a standard directory (`dir C:\inetpub`).
- Using WMI or PowerShell commands to check the object type of `C:\inetpub` to determine if it is a symbolic link or junction pointing to a non-directory path.
## References
- Vendor Advisories: Microsoft acknowledged the report internally.
- Relevant Links:
- bleepingcomputer.com/news/microsoft/windows-inetpub-security-fix-can-be-abused-to-block-future-updates/