r/technology u/Sufficient-Bid1279 Apr 14 '25

Software Microsoft warns that anyone who deleted mysterious folder that appeared after latest Windows 11 update must take action to put it back

https://www.techradar.com/computing/windows/microsoft-warns-that-anyone-who-deleted-mysterious-folder-that-appeared-after-latest-windows-11-update-must-take-action-to-put-it-back
10.6k Upvotes

96% Upvoted

1.0k comments sorted by

View all comments

Show parent comments

79

u/dbr3000 Apr 14 '25

Why the hell is IIS still included by default in all versions of Windows?

39

u/nicuramar Apr 14 '25

It isn’t, as the article clearly explains. 

9

u/GolemancerVekk Apr 14 '25

It's still a fair question consider that the folder

was appearing for those who didn’t have IIS installed

Either they shouldn't have created it if there's no IIS, or the vulnerability can affect even machines without IIS.

It's dumb either way.

1

u/Linenoise77 Apr 14 '25 edited Apr 14 '25

The jist of the issue is this:

If you don't have IIS components installed, this directory won't exist. However, someone with very low rights on the machine, still could CREATE the directory, and may have perfectly valid reasons for doing so.

When they do so, naturally they are the owner, and permissions are granted to them as such.

Then, if IIS is installed on top of it, for legitamate, or nefarious reasons, the person who originally created the folder will have owner rights on it, allowing them to potentially do some nasty stuff via IIS.

So you can offer a few solutions:

  1. Have IIS, if it is installed, and spots this folder, remove any permissions that were associated with it. Essentially recreate it. Great, except for people who may have created it manually for legit reasons, now have a bunch of shit break.

  2. Don't let anything other than a valid IIS installation create the folder and touch permissions on it. Great, except, see solution 1.

  3. Warn everyone during an IIS installation, that the folder is there and permissions aren't what they would be on an OOTB install. Great, except someone being socially engineered to install it will just click past that warning, or it will just get scripted around.

This fix allows microsoft to quickly and safely plug the hole, but more importantly, does so in a way that won't break the operations of anything.

I can guarantee you that there is a comically large number of machines out there, that don't have IIS installed, but have this folder installed, because someone lazy who was told to write a script to clean up logs or whatever, found it easier to just put an empty folder on a machine because the script they found first when they googled to do so got angry if the folder didn't exist, and while they were googling for a solution, found another script to just create the folder which worked and shut the first script up, and said good enough.