Microsoft working on fix for nasty NTFS corruption bug

by Mark Tyson on 18 January 2021, 11:11

Tags: Microsoft (NASDAQ:MSFT), Windows XP, Windows 10

Quick Link: HEXUS.net/qaep3e

Add to My Vault: x

Please log in to view Printer Friendly Layout

There has been a nasty NTFS corruption bug present in Windows 10 for nearly three years. It is also present in some older Windows XP versions. Just ahead of the weekend The Verge highlighted that a user browsing "a specially crafted line inside a ZIP file, folder, or even a simple Windows shortcut," in Explorer is enough to trigger the bug which will corrupt your file system. Bleeping computer also looked at the bug and tested how it works.

Security researcher Jonas L has warned about this NTFS vulnerability several times, starting H2 2020, before it was picked up by media and Microsoft announced that it is "aware of this issue and will provide and update in a future release," for Windows 10. Microsoft added that anyone wishing to do any malicious works via the bug would have to rely on persuading the victim to download or accept a file transfer - social engineering.

So, what is the problem? Starting from approx Windows 10 build 1803 and continuing until now, an NTFS drive can be corrupted by merely trying to access the $i30 attribute. An example command that would corrupt a Windows 10 system, provided by Bleeping Computer to illustrate the scarily simple issues is shown below:

cd c:\:$i30:$bitmap

The potential for mischief is pretty sizable. The corruption issue can be triggered very easily if a user creates a Windows shortcut file (.url) with its icon location set to the path in the command. Then if any recipient views a folder with this file in (on Windows 10) then drive corruption may result. Malicious actors could distribute this file via Zip archives, HTML files or other ways.

Simply opening this downloaded ZIP file was enough

In Bleeping Computers tests it was noted that sometimes that chkdsk could sometimes repair the file system on reboot and clear the contents of the icon file with path set to c:\:$i30:$bitmap.

Another, less serious, issue has been shared by Jonas L in recent days. Again it involves Windows tripping over a path but this time causing a BSOD. OK, your machine will typically restart after a BSOD and return to normal but Jonas L noted that threat actors could possibly work out how to abuse the bug for remote code execution, elevation of privileges, or some kind of denial of service chicanery.

All screenshots from Bleeping Computer.



HEXUS Forums :: 33 Comments

Login with Forum Account

Don't have an account? Register today!
Lovely.

And this vulnerability has existed since build 1803? 2018!
It's mad. And MS trying to mitigate it saying “social engineering would be required” is just farcical. Most attacks require some form of human failure. It's almost a prerequisite of hacking that you'll have to socially engineer part of it. That is absolutely no mitigation and it also wouldn't be difficult to get lots of people in an office to do this - I can think of a few ways. Cybersecurity needs to work in the presence of the flawed human.

Just a note of caution, Admin here aren't fond of swearing, even with the “*”s in there. I've been slapped before about that.
Another Microsoft OS…. another bug is born….
souper
Another Microsoft OS…. another bug is born….

Everything has bugs. It's dealing with them that really matters. How long has this been around? I wonder how many payloads it is now a part of. In the seedy world of corporate espionage / competition, corrupting a few choice hard drives could make the difference between you and them releasing a product first.
souper
Another Microsoft OS…. another bug is born….

I once wrote an “Hello World” that was mostly bug free.