Proof of concept code for an attack that can crash Windows computers in seconds was published Friday, nine months after the researcher who found the f
Proof of concept code for an attack that can crash Windows computers in seconds was published Friday, nine months after the researcher who found the flaw notified Microsoft of the denial of service attack.
The attack exploits an New Technology File System (NTFS) flaw to automatically crash a system with auto-play enabled within moments of a malicious image being mounted; even on systems where auto-play is disabled, the malicious image can take down the system when accessed in any way, including by being clicked on by the user or when it is scanned by Windows Defender.
Marius Tivadar, senior manager at the Cyber Threat Intelligence Lab at Bitdefender, discovered a simple technique to craft an NTFS image file capable of causing a blue screen of death crash within seconds when mounted — for example, by inserting a USB drive containing the image — on many Windows 7 and Windows 10 systems.
In his original vulnerability disclosure of the NTFS flaw to Microsoft in July 2017, Tivadar wrote: “One can generate blue-screen-of-death using a handcrafted NTFS image. This Denial of Service type of attack, can be driven from user mode, limited user account or Administrator. It can even crash the system if it is in locked state.” He added that after he reported it to Microsoft last year, the software gianttold him that they would not assign a CVE number to the vulnerability or even to notify him when the flaw was fixed.
Tivadar also noted that the NTFS flaw does not require a storage device to be effective: “[I]t is not necessary to have an USB stick. A malware for example could drop a tiny NTFS image and mount it somehow, thus triggering the crash.”
According to Tivadar, Microsoft’s most recent response to his report was that because the attack described required either physical access or social engineering to succeed, it did not “meet the bar for servicing down-level (issuing a security patch).”
Tivadar’s attack code succeeded against three versions of Windows he tested:
- Windows 7 Enterprise 6.1.7601 SP1, Build 7601 x64
- Windows 10 Pro 10.0.15063, Build 15063 x64
- Windows 10 Enterprise Evaluation Insider Preview 10.0.16215, Build 16215 x64
Tivadar was not able to reproduce the attack against Windows 16299, the release Microsoft currently recommends for most users, but he was unable to verify whether the NTFS flaw had actually been explicitly patched.
Chris Eng, vice president of research at Veracode, told SearchSecurity that the lack of response to the NTFS flaw from Microsoft was a matter of prioritization of vulnerabilities. “Microsoft has to consider the relative severity of all the bug reports they receive — security bugs and everything else — and prioritize their remediation and patching efforts accordingly. It sounds to me like they considered the threat model and customer impact and determined that finite engineering capacity would produce more value fixing other bugs.”
“A BSOD is less severe than an exploit that escalates privileges or executes commands, and an attack that requires physical access or social engineering is less severe than an attack that can be carried out remotely,” Eng added.
A Microsoft spokesperson told SearchSecurity Tivadar’s POC did not establish the need for a Windows patch. “The technique described requires authenticated access to a machine,” the spokesperson said. “We encourage customers to always use security best practices, including securing work stations and avoiding leaving laptops and computers unattended.”