23h ago

Microsoft: Windows 'inetpub' folder created by security fix, don’t delete

www.bleepingcomputer.com

Just a moment...

Windows @sopuli.xyz

Nemeski @lemm.ee

2d ago

Microsoft: Windows 'inetpub' folder created by security fix, don’t delete

www.bleepingcomputer.com /news/security/microsoft-windows-inetpub-folder-created-by-security-fix-dont-delete/

22 comments

Sounds like the OS is put together with duct tape if deleting an empty folder can break things so easily
- Or worse, (tinfoil hat on), they are planning on installing and abusing iis on everyone's PC. Ad delivery?
  I don't see how this can be a security risk, I really want more details.
  Cve: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21204
  
  Another possible explanation from Hanlon's razor: MS is going all-in on vibe coding
  
  Thats not better :(
  
  it's nothing 'new'. i have encountered empty inetpub folders frequently, on systems with no business having it in the first place.. for years now.
  
  I wonder if they were infected with something that was exploiting that CVE?
  Edit: Here is another tinfoil theory: the windows security subsystems special cases inetpub to allow all executables. If the path doesn't exist, attackers can drop binaries in there to bypass security/codesigning etc. By creating it as SYSTEM, MS is ensuring that it can't be written to without SYSTEM privs?
  
  Edit: Here is another tinfoil theory: the windows security subsystems special cases inetpub to allow all executables. If the path doesn’t exist, attackers can drop binaries in there to bypass security/codesigning etc. By creating it as SYSTEM, MS is ensuring that it can’t be written to without SYSTEM privs?
  Ya, I'd bet on something similar. According to the CVE, the vulnerability is around "Improper link resolution before file access". My bet is that there is something hardcoded somewhere which assumes the existence of this folder. If it doesn't exist, this can let the attacker get something in place which then gets executed with SYSTEM permissions, leading to privilege escalation. Not the worst thing in the world, for most users. But, it would be a problem in an enterprise environment where part of the security model is users not having local admin.
- Deleting random stuff from your system that the OS put there, because "it's empty so surely it is fine", is generally not a recipe for success.
  
  Neither is putting random system files/folders in the C: drive outside of where they need to be, like in the Windows folder
  
  Yeah... This reeks of stupidity, though. It's a folder used by iis but you need it even if iis isn't installed.
  
  Yeah. It's not even a matter of "do you need it." I don't need both /var/tmp and /tmp. I only need one. But, if I respond to that by deciding to delete one or the other, some stuff will fuck up. That's how computers work.
  
  I feel like this is parody and I'm not getting the joke.
  
  ?
  I'm just being serious. If your software has some files and directories, and you start fucking with them, it might react badly. It doesn't really matter if you feel like the existence or layout of them is unjustified in some way. Just let them be, or else switch to some other software, or else take responsibility for making sure stuff won't break from you fucking with them. Those are the options. "Delete it on purpose and then whine about how it shouldn't have been set up that way in the first place, if stuff breaks" isn't one of the options.
  Also, it's kind of a side note, but it's also weird to me that this is the hill to die on that Windows is up to something. Yes. It's been openly spying on you, degrading its own functionality for amusement, and hijacking your computer to do messed up stuff for a long time. Making an empty directory in the root of C: isn't something you need to get any level of panicked about in addition. There's other stuff you can worry about.
  
  I’m just being serious. If your software has some files and directories, and you start fucking with them, it might react badly. It doesn’t really matter if you feel like the existence or layout of them is unjustified in some way. Just let them be, or else switch to some other software, or else take responsibility for making sure stuff won’t break from you fucking with them. Those are the options. “Delete it on purpose and then whine about how it shouldn’t have been set up that way in the first place, if stuff breaks” isn’t one of the options.
  "Never delete anything on your computer because it might be needed"?
  This isn't "some random directory" as you've claimed before. It's a specific directory used by IIS. It's akin to /var/www for apache. If you uninstalled apache you would, and should, delete /var/www to cleanup afterwards.
  If you uninstall IIS you should be able to delete C:\inetpub to cleanup.
  That it causes a security problem you didn't know about is not your fault. It's Microsoft's fault. That is a stupid bug to have and they need to fix it properly.
  
  “Never delete anything on your computer because it might be needed”?
  No. That's a whole new sentence.
  I gave two other options, besides that one option.
  Also, even within the one option, if at some point I upgraded my Linux system and I got an empty /var/www directory, it would never in a million years occur to me to say "Well that's stupid I don't want that directory" and remove it.
  I might think it's stupid that it's there when I don't have apache. But, deleting it because it's stupid that it's there... you know what? I feel like I already addressed this with the /tmp and /var/tmp example. I can feel that it's stupid that there's two of those instead of one. I might be right. You're not wrong about it being silly that MS has done this. But reacting to that feeling by deleting things until my system matches how I think they should have set things up is a recipe for broken stuff.
  I've reiterated this point three times now, which is enough. You seem committed to not absorbing it. Good luck with your computers in the future. I hope your system administration philosophy serves you well.
  
  Also, even within the one option, if at some point I upgraded my Linux system and I got an empty /var/www directory, it would never in a million years occur to me to say “Well that’s stupid I don’t want that directory” and remove it.
  Because frankly you don't know enough to know any better. Sorry if that sounds condescending, but it's the truth. You should be able to delete /var/www without it causing any security problems. That you don't know that isn't your fault, it's experience.
  
  Because frankly you don’t know enough to know any better.
  I had more typed, but what's the point. I feel like I've said everything I really wanted to say on it. Like I said, enjoy your point of view and I hope it goes well for you.
  
  Nothing else you said mattered. 🤷

22 comments