Microsoft's NTFS flaw: What are the potential consequences?

A security researcher recently published the proof-of-concept code of a Windows New Technology File System bug. Despite being alerted to the vulnerability months in advance, Microsoft decided not to patch the NTFS bug. What makes this NTFS security flaw a lower priority? What are the potential consequences of Microsoft not dealing with it before the proof of concept was released?

Every Windows user dreads seeing the blue screen of death -- the error screen displayed on a Windows computer system after a fatal system error -- so a vulnerability that can automatically crash a system when autoplay is enabled should be fixed as soon as possible. This is what Marius Tivadar, senior manager at Bitdefender's Cyber Threat Intelligence Lab, believed when he disclosed a flaw in Microsoft's proprietary New Technology File System (NTFS) to the company in July 2017.

Tivadar discovered that a malformed NTFS image can crash a Windows 7, 8.1, 10 and Windows Server 2012 R2 computer within seconds of it being accessed. By copying it to a USB drive and inserting the drive into a computer, the image can cause a blue screen of death because autoplay is activated by default. The crash still occurs if the computer is locked, and Tivadar posted videos to prove it.

Even if a user has disabled autoplay, when an antivirus program scans the USB stick or the user of another program tries to access it, Windows will crash. Frustrated by Microsoft's lack of action, Tivadar posted the proof-of-concept (POC) code of the NTFS security flaw on GitHub along with a POC malformed NTFS image.

The NTFS flaw lies in the NtfsFindExistingLcb() function, which doesn't check that a pointer taken from the File Control Block -- a file system structure in which the state of an open file is maintained -- is not null before using it. By making a few changes to an NTFS image, it is possible to exploit this flaw and cause the system to crash. So why hasn't Microsoft fixed this NTFS flaw or even assigned it a Common Vulnerabilities and Exposures (CVE) number?

According to the CVE website, "an information security 'vulnerability' is a mistake in software that can be directly used by a hacker to gain access to a system or network." It also assigns vulnerabilities a severity score to help those affected to prioritize mitigation strategies, patching and other resources according to the level of the threat. These scores are calculated based on a formula that depends on several metrics that approximate the ease of the exploit and the effect of the exploit.

Microsoft, like many big software vendors, has its own severity rating system. It also operates a security bug classification system, Security Bug Bar, used by Microsoft's internal product and online services teams.

Like system administrators, Microsoft has to prioritize and assign resources to the security vulnerabilities found in its products based on their relative severity. An attack that requires physical access or social engineering, like the one Tivadar discovered, is far less severe than an attack that can be carried out remotely.

Looking at the definition in the Microsoft Security Bug Bar and the CVE definition of a vulnerability, it is easier to understand Microsoft's decision not to assign this NTFS flaw a CVE number, as the vulnerability's attack vectors require either physical access or social engineering to succeed -- meaning that it doesn't meet their requirements to issue a security patch.

Now that the POC for this NTFS flaw is publicly available, hackers may try to incorporate it into their malware to attempt to trigger a crash, but they would then need to exploit the crash to cause something other than a temporary denial of service.

One thing Microsoft will hopefully change in the future is that no code can be executed when external peripherals are inserted into a computer and the system is in a locked state.

Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)