A new Windows flaw, affecting almost all versions of the OS, Windows 10 excluded has been unearthed. More specifically, Windows 7 and Windows 8.1 are prone to the same bug where certain bad filenames make the system lock up or crash occasionally leading to a blue screen of death.
Image: Arstechnica
Furthermore, malicious webpages can embed the same filenames by using them as image source, as explained by Arstechnica. If the user lands on such a page, no matter the browser, their machine will freeze and may also crash almost immediately.
The issue stems from the NTFS driver and the way it reads special file names used by the operating system to refer to hardware devices, so that they are not linked to files stored on local drives.
Windows has many filenames that are “special” as they don’t correspond to an actual file. Instead of files, they represent hardware devices. The special filenames can be reached from any location in the file system, despite that they are not found on disk.
NTFS Bug Explained, or How an Issue from Windows 95, 98 Came Back to Life
Apparently, this is an issue that has been known to Windows since the 95 and 98 eras when specific filenames could make it crash. In those times attackers could attack users by employing one of the filenames as an image source, then the browser would attempt to access the file, and Windows would crash.
“While any of these special filenames would have worked, the most common one used to crash old Windows machines was con, a special filename that represents the physical console: the keyboard (for input) and the screen (for output),” Ars explains.
Even though Windows correctly handled simple attempts to access the con device, a filename included two references to the special device—for example, c:\con\con—then the OS would fail. If that file was referenced from a webpage by trying to load an image from file:///c:/con/con, then the system would crash whenever the malicious page was loaded.
The New NTFS Bug Comes from the $MFT Filename
The new NTFS bug which doesn’t affect Windows 10 is based on another filename – $MFT. That’s the name of the special metadata file used by Windows NTFS filesystem. The file is located in the root directory of every NTFS volume.
However, the NTFS driver handles it in specific ways, it cannot be viewed because it’s hidden and thus it’s inaccessible to most applications. Even though attempts to open the file are usually blocked, if the filename is deployed as a directory name, the NTFS driver takes out a lock on the file and never releases it, Ars says.
The process of waiting for the file to be releases is practically never-ending which leads to blocking any attempt to access the filesystem. As a result, every program is hanging making the computer unusable until reboot.
Researchers already informed Microsoft about the bug but it is not known yet when it will be patched.