by_adr - Fotolia

Windows NTFS flaw posted after disclosure gets nowhere

Proof-of-concept code showing how an NTFS flaw can shut down Windows systems was published by a security researcher nine months after he disclosed it to Microsoft.

Proof-of-concept code for a denial-of-service attack that can crash Windows computers in seconds was published Friday, nine months after the researcher who found the flaw notified Microsoft.

The attack exploits a New Technology File System (NTFS) flaw to automatically crash a system with auto-play enabled within moments of a malicious image being mounted. Even on systems where auto-play is disabled, the malicious image can take down the system when accessed in any way; this includes a user clicking on the image or Windows Defender scanning it.

Marius Tivadar, senior manager at Bitdefender's Cyber Threat Intelligence Lab, discovered a simple technique to craft an NTFS image file capable of causing a blue screen of death (BSOD) within seconds when mounted -- for example, by inserting a USB drive containing the image -- on many Windows 7 and Windows 10 systems.

In his original vulnerability disclosure of the NTFS flaw to Microsoft in July 2017, Tivadar wrote: "One can generate blue-screen-of-death using a handcrafted NTFS image. This Denial of Service type of attack can be driven from user mode, limited user account or Administrator. It can even crash the system if it is in locked state."

After he reported it to Microsoft last year, he said the software giant told him it would not assign a CVE number to the vulnerability or even notify him when the flaw was fixed.

Tivadar also noted the NTFS flaw does not require a storage device to be effective: "It is not necessary to have a USB stick. A malware for example could drop a tiny NTFS image and mount it somehow, thus triggering the crash."

According to Tivadar, Microsoft said in its most recent response to his report that because the attack required either physical access or social engineering to succeed, it did not "meet the bar for servicing down-level (issuing a security patch)."

Tivadar's attack code succeeded against three versions of Windows he tested:

  • Windows 7 Enterprise 6.1.7601 SP1, Build 7601 x64;
  • Windows 10 Pro 10.0.15063, Build 15063 x64; and
  • Windows 10 Enterprise Evaluation Insider Preview 10.0.16215, Build 16215 x64.

Tivadar was not able to reproduce the attack against Windows 16299, the release Microsoft currently recommends for most users, but he was unable to verify whether the NTFS flaw had actually been explicitly patched.

Chris Eng, vice president of research at Veracode, based in Burlington, Mass., told SearchSecurity the lack of response to the NTFS flaw from Microsoft was a matter of prioritization of vulnerabilities. "Microsoft has to consider the relative severity of all the bug reports they receive -- security bugs and everything else -- and prioritize their remediation and patching efforts accordingly. It sounds to me like they considered the threat model and customer impact and determined that finite engineering capacity would produce more value fixing other bugs."

"A BSOD is less severe than an exploit that escalates privileges or executes commands, and an attack that requires physical access or social engineering is less severe than an attack that can be carried out remotely," Eng added.

A Microsoft spokesperson told SearchSecurity Tivadar's proof of concept did not establish the need for a Windows patch. "The technique described requires authenticated access to a machine," the spokesperson said. "We encourage customers to always use security best practices, including securing workstations and avoiding leaving laptops and computers unattended."

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing