Computer security researchers have been left scratching their heads after applying Microsoft’s latest raft of Patch Tuesday updates. As highlighted by Will Dormann on Mastodon, April’s updates to Windows 10 and 11 have left some unexpected detritus on the C:\ drive; An empty ‘inetpub’ folder has been left behind by the update process.
The errant inetpub folder concerned Dormann, who reacted with a “LOLWUT,” as this folder is associated with systems with Microsoft’s Internet Information Services (IIS) installed. IIS is a web server platform with a long history of security vulnerabilities.
IIS was built by Microsoft to host websites, web applications, and services on your PC. You can run and test projects locally before going global with your site or app. As a service often used on public-facing sites, and as it is associated with the world's most popular desktop OS, IIS has been continuously targeted by hackers.
It is understandable that seeing an empty inetpub folder appear on updated Windows installs - where these PCs never had IIS installed before - causes alarm bells to ring in security circles. One of the key questions about this folder appearing is whether Microsoft used it for some update purpose – a purpose not mentioned in the KB5055523 release notes. Or, perhaps the folder appeared due to a bug.
Digging around Microsoft's help pages, it appears that this isn't the first time inetpub has appeared on Windows machines which have never touched ISS software. We saw similar issues discussed in 2016.
Whatever the case, and whether the sudden appearance of this empty folder is something to be suspicious of, file managing neat-freaks can still feel righteous in their annoyance about this. Tidiness is next to godliness, as Linus Torvalds might say in slightly different language involving ‘turds.’.
