MS-DEFCON 3: Cleanup time

By Susan Bradley

 

After every Patch Tuesday, there is a period I call “cleanup time.”

 

By the end of the week, side effects start to pop up. Even though Microsoft does not usually document its patches well, we at least know which updates have been released and have had a chance to read through the release notes.

 

This time, side effects appear to be widespread. I have therefore set the MS-DEFCON level to 3. Patch as necessary but check your results carefully.

 

Microsoft noted that Windows 11 24H2 users have seen blue screens of death (BSOD), which has been mitigated with a known rollback fix. I have not experienced that problem.

 

I have been monitoring Windows patches and their side effect for about half of Microsoft’s existence. There have always been times when patch quality control was nonexistent, when documentation should have been better, and when I got better information from the attack community than I did from Microsoft. But this week I found the company’s lack of communication on something that made a visible change to the operating system of greater than usual concern.

A sloppy mitigation fix for Windows

Microsoft is once again in the position wherein it must code updates with a risk model that the vast majority of consumers will never experience. One vulnerability, CVE-2025-21204, is described in KB5055523 as follows:

 

[OS Security] After installing this update or a later Windows update, a new %systemdrive%\inetpub folder will be created on your device. This folder should not be deleted regardless of whether Internet Information Services (IIS) is enabled on the target device. This behavior is part of changes that increase protection and does not require any action from IT admins and end users.

 

Also see CWE-59: Improper Link Resolution Before File Access (‘Link Following’) at Mitre’s Common Weakness Enumeration (CWE) site, which provides the following description:

 

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

 

Under “Common Consequences,” the CWE says:

 

An attacker may be able to traverse the file system to unintended locations and read or overwrite the contents of unexpected files. If the files are used for a security mechanism then an attacker may be able to bypass the mechanism.

 

What does all that mean? Businesses are being attacked with toe holds gained via malicious URLs, or spoofed emails. Once in, and if the computer being accessed is not properly protected, the attacker can use a set of tricks to gain access to the Windows Update stack, which then allows elevation of privileges locally. That’s where the bypass described above comes into play — instead of the filename resolving to a local file, the vulnerability hides the fact that the filename actually points to a link or shortcut that should otherwise not be accessible.

 

 

I have written about this before in connection with the aforementioned %systemdrive%\inetpub folder, which started appearing on client PCs (as opposed to servers). Historically, this folder was not needed on client PCs unless they were being used for Web development purposes and so on most PCs was not there. That history led many pundits to suggest that the folder could be safely removed, which Microsoft’s guidance in KB5055523 clearly says is not the case.

 

What makes this worse is that the folder will not be automatically restored when the PC reboots, but it is needed for the workaround for this vulnerability. Just re-creating the folder yourself won’t do the trick because it will not have the required permissions to make the workaround work. If you did remove the folder, don’t re-create it — restore it from the recycle bin.

 

Microsoft’s handling of this was far from ideal. The patch was applied if you accepted March updates. But at the time the patch was applied and the folder created, there was no notification about the folder or the fact that it should not be deleted. Folks started noticing this right away which led to a lot of bogus information showing up on the Web. Microsoft did not provide documentation until several days later, when it was too late to undo the deletion for many users. Worse, the April updates do not check to make sure that workaround patch is applied and thus installation of the April patches is not blocked, as it might be for other serious missing patches.

 

This is the best you could do, Microsoft? Really? Quietly create a folder, don’t tell anyone about it until the real world starts seeing it and deleting it, and then fail to put mitigation in a subsequent patching regimen?

 

The only good news from this sloppy work is that it will probably manifest only for business users. Nonetheless, if you see that folder on your PC, even if you are a consumer, don’t delete it. It actually does have a purpose, and it actually is required.

Out-of-band fixes for Windows

For years, “out of band” has meant that a given update was fixing an active attack for a security issue on an emergency basis. Now the term has been applied to additional after-the-fact updates that must be installed if the original security update affected you.

 

In April, Microsoft released out-of-band updates for Windows and Office bugs, including fixing an issue where audit logon/logoff events in the local policy of Active Directory Group Policy were not displayed as enabled even though they were functioning correctly. This issue was addressed through out-of-band updates for various Windows versions, including:

 

 

This fix must be manually installed; it is not available through Windows updates, only from the Windows catalog.

 

I am assuming that most consumers don’t care about audit logon/logoff events — you know when you logged on. Therefore, this is a “skip it” update. Businesses will need to decide if they want the fix now or will just wait until May when it’s rolled up into that update.

Out-of-band fixes for Office

If you use one of the “boxed” versions of Office, such as 2016, that uses individual updates — and not the Microsoft 365 click-to-run version — you’ll want to handle the April updates carefully. After installing KB5002700, you’ll find that Microsoft Word, Microsoft Excel, and Microsoft Outlook stop responding. You then must install KB5002623 to fix this issue. But this update is neither on Windows update nor on the Microsoft catalog site, where it could be used along with business patching platforms. Instead, it’s on the Microsoft download center.

 

You have a couple of options:

 

Issues installing 24H2

As you are aware, I work in the accounting profession in real life, where things are busy between January and April. Although I install security updates during this time, the last thing I want to do is to install feature updates. Some of my fellow accountants did so during tax season and ended up scrambling to get new printer driver or hauling an old printer from the basement to get things working. Because the 24H2 release is a major release, it takes time. It’s disruptive. It can have side effects.

 

In addition, some readers are struggling trying to get 24H2 installed. They’ve manually installed the ISO, and it gets to a certain point, stops and rolls back. The cryptic log files merely point to a driver, providing little helpful information. Use the Windows 11 Installation Assistant or review SetupDiag looking for clues. I’m hoping to set aside time and dig through cryptic log files and see if we can get to the bottom of this.

 

Now that I’m winding down from tax season, I will start working on my project to migrate the office PCs from Windows 11 23H3 to 24H2. I’ll be taking notes and reporting to you.

Server broker still broken

I thought that the event viewer error in Windows 10 22H2 was fixed in the April updates. I received a notification that the System Guard Runtime Monitor service had been fixed:

 

The Windows Event Viewer might display an error related to SgrmBroker.exe, on devices which have installed Windows updates released January 14, 2025 or later. This error can be found under Windows Logs, System as Event 7023, with text similar to “The System Guard Runtime Monitor Broker service terminated with the following error.”

 

It turns out they were fixed, but only for Windows Server 2022. KB5055526, released on April 8, fixed the issue. Yet it was not fixed in Windows 10. I’ll let you know if a fix is released for Windows 10.

Server 2025 can’t serve

The new kid on the block is having some side effects. As noted by Microsoft in its Windows Health Release dashboard but not on its public site:

 

Domain controllers manage network traffic incorrectly after restarting.

 

I’d call that interesting at the least but more likely worrisome. Servers that handle Active Directory have the domain controller role. It’s extremely important for them to handle such traffic. The underlying issue is caused by the Windows firewall switching to a public profile rather than domain or work. This is not new: Many have seen it happening for a long time and have recommended setting network location services to a delayed start for awhile.

 

Microsoft recommends that you can restart the network adapter. This can be done manually in various ways, such as using the following command via PowerShell:

 

 

Many deal with this issue by setting Network Location Awareness Automatic to Delayed, as shown in Figure 1.

 

Figure 1. Startup type Delayed

Install updates immediately?

Time and time again, Microsoft showcases that we need to be methodical and patient when updates are concerned. Have a backup. Have another device just in case. Have a plan B. Ensure that you are aware that sometimes the risks of updates are just as great as the risks of attacks.

Resources

 

Source

---

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of March): 1,357

RIP Matrix | Farewell my friend