The good old NTFS bug in Windows strikes back but with a different name

Most of you who are from the Windows 95 era, may remember an NTFS bug allowed hackers to attack the devices through special filenames causing the entire system to go berserk and subsequently display a blue screen of death.

Well, to everyone’s disappointment, the bug is back to haunt those who are running Windows 7 or 8. This time, however, the bug is cunningly placed in an image source file which is loaded once a web page with that image is accessed.

More:  Microsoft Windows Devices Responsible For 80% of Malware Infections

The special filename: Windows OS has always had a flaw in its file system allowing attackers to exploit a file naming convention that has the potential to render a user’s system utterly useless.

To give you a bit of background, Windows file system has a number of files which are considered as special due to the way they are handled. Primarily, there are some filenames stored in the operating system that refers to files which do not have any actual files. That is, these files refer to the hardware of the system. However, such files can still be accessed despite not having any real existence.

The filenames which can crash your system: Not all of these filenames have the potential to kill your system. However, some files, when accessed in a certain way, can cause damage. For instance, the filename which was used to crash the old Windows operating systems was “con”. This file referred to the monitor and keyboard of your computer.

Although Windows was smart enough to manage any attempts to access the file once properly, it, however, had no idea what to do if it was being accessed twice at the same time. That is, the older bug made a reference in the form of c:\con\con and this resulted in Windows to crash. Now, however, the file is being referenced through an image source. Particular images in a web page will access the special filenames and hence disrupt your entire system.

More:  18-year-old Vulnerability Lets Attackers Steal Data From All Versions of Windows

Nevertheless, this time round, the filename is not “con”, but another special file called “$MFT”. This filename refers to the metadata stored in the NTFS directory. Although the filesystem blocks any attempts to access the file, it does not do so if it is being accessed through a directory – that is, in the form of c:\$MFT\123.

Doing so forces NTFS to lock the entire system and so you will not be able to access any file. Some browsers try to prevent web pages from accessing these files, Internet Explorer, on the other hand, will allow access. However, the security researcher who discovered this bug said that:

“This problem is not a vulnerability, but having remote access to the machine may disturb its operation. This error is retained up to the latest versions of the Windows, with the exception of the latest updates, starting at a minimum with Windows Vista.”

This video from 0:48 seconds shows how the bug worked on Windows 95


DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.

Jahanzaib Hassan