A Bug In Microsoft’s NTFS Filesystem Can Corrupt Your Hard Drive In Epic Fashion

Well, this isn’t good. An unpatched zero-day that was originally found in Microsoft Windows 10 allows attackers to corrupt an NTFS-formatted hard drive with a one-line command:

In August 2020, October 2020, and finally this week, infosec researcher Jonas L drew attention to an NTFS vulnerability impacting Windows 10 that has not been fixed. When exploited, this vulnerability can be triggered by a single-line command to instantly corrupt an NTFS-formatted hard drive, with Windows prompting the user to restart their computer to repair the corrupted disk records. The researcher told BleepingComputer that the flaw became exploitable starting around Windows 10 build 1803, the Windows 10 April 2018 Update, and continues to work in the latest version. What’s worse is, the vulnerability can be triggered by standard and low privileged user accounts on Windows 10 systems. […] It is unclear why accessing this attribute corrupts the drive, and Jonas told BleepingComputer that a Registry key that would help diagnose the issue doesn’t work. 

One striking finding shared by Jonas with us was that a crafted Windows shortcut file (.url) that had its icon location set to C:\:$i30:$bitmap would trigger the vulnerability even if the user never opened the file! As observed by BleepingComputer, as soon as this shortcut file is downloaded on a Windows 10 PC, and the user views the folder it is present in, Windows Explorer will attempt to display the file’s icon. To do this, Windows Explorer would attempt to access the crafted icon path inside the file in the background, thereby corrupting the NTFS hard drive in the process. Next, “restart to repair hard drive” notifications start popping up on the Windows PC — all this without the user even having opened or double-clicked on the shortcut file.

This has been tested onWindows XP and the issue has been found there as well. Thus it appears to be an NTFS based issue as opposed to a Windows 10 issue. Microsoft is investigating this, but they need to have a rapid fix for this as a threat actor is going to be able to exploit this to cause chaos.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: