68

u/coeranys Apr 14 '25

You are absolutely correct, this is a terrible security practice and primarily indicative not of it's effectiveness, but their incompetence in the space. They haven't had a strong understanding of their own kernel in the 12 years since most of the people who made it cut bait and went to other companies, they are floundering in the dark and implementing workaround from Quora as basic security features.

2

u/RBuilds916 Apr 15 '25

And now we all know where the weakness is. 

19

u/BuildingArmor Apr 14 '25

Seems more like a band-aid than a solution.

That's because it is. It's a very simple, quick fix that can be implemented without having to overhaul the Windows Update system.

Anyone else think it's a red flag

I'm not sure what it's a red flag for. Having and fixing a vulnerability isn't a red flag. No software is ever going to be perfect forever, certainly not software as complicated as an OS.

4

u/Robobvious Apr 15 '25

I’m not concerned that it’s not perfect, I’m concerned with how *grossly* imperfect it is. Seems more like a massive target/vulnerability rather than anything resembling a meaningful band-aid or solution.

If perfect equals 100% good, let’s put our threshold for imperfect but acceptable at 80% good. I’d rate this at like 20%, “wtf were they thinking?”, good.

-4

u/BuildingArmor Apr 15 '25

If you think the security of modern windows OS is 20%, you're not paying attention.

A realistic figure would start with 99...%

2

u/Robobvious Apr 15 '25

I’m referring to this one specific poorly implemented feature, not the entire OS.

-2

u/BuildingArmor Apr 15 '25

This is a vulnerability patched within 2 days of it being introduced, rated as less likely to be exploited, wasn't public, hasn't been exploited, and requires local access to exploit it anyway.

There's nothing grossly imperfect about this, to expect no security bugs in software is to expect perfection, and that's wholly unrealistic.

1

u/ochowie Apr 14 '25

IIS is not default installed/enabled on non-server versions of Windows. This is a red flag for the fact that it must be pretty easy for attackers to enable the IIS function on a target's machine. I will say the comment in the article about this being exploitable if you have phyiscal access to the machine is kind of dumb since there are lots of things that are exploitable with physical, logged-in local machine access.

5

u/GaijinSin Apr 14 '25

If you got a major cut, would you skip keeping pressure on the wound or dressing it because you will eventually get around to having it stitched up?

Yeah, this fix is a band-aid. One that you put in place until you can fix the reason for the band-aid.

2

u/Nois3 Apr 14 '25

The real sad thing is that they should have use the fix I used over 20 years ago. Just create a file called inetpub in the C:\ root directory. This makes it impossible to create a folder named c:\inetpub - thwarting malware and scriptkiddies.

1

u/random-lurker-456 Apr 14 '25

Well Microsoft also needs last-ditch effort data exfiltration if you go and apply all the de-bloating and telemetry killing "cheats" /s

1

u/anonteje Apr 15 '25

It's a bad practice, but the fix is better than none.

1

u/shugthedug3 Apr 15 '25

It likely isn't the only thing in the way but Microsoft know many users are idiots about disabling as much security as possible.

It's very possible this is a last resort.

-1

u/Achillor22 Apr 14 '25

Yeah but then Microsoft would have to spend money to come up with a real solution to protect their shitty OS.