{"id":84323,"date":"2017-05-29T22:19:02","date_gmt":"2017-05-30T02:19:02","guid":{"rendered":"http:\/\/rbach.net\/blog\/index.php\/"},"modified":"2021-08-09T14:20:39","modified_gmt":"2021-08-09T18:20:39","slug":"windows-terrible-horrible-no-good-month","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/windows-terrible-horrible-no-good-month\/","title":{"rendered":"Windows Terrible, Horrible, No Good Month"},"content":{"rendered":"

\"Windows<\/a>Redmond’s Terrible, Horrible, No Good, Very Bad <\/a>month continues. The WannaCry<\/strong> ransomware<\/a> hit mostly Windows 7 machines<\/a>, and now researchers from the Russian information security company Aladdin RD recently discovered a new bug<\/strong> that will slow down and crash Microsoft<\/a><\/strong> (MSFT<\/a>) Windows Vista<\/a><\/strong>, Windows 7<\/a>, <\/strong>and Windows 8<\/a> <\/strong>PCs, but does not seem to impact Windows 10 so far.<\/p>\n

\"Microsoft<\/a>In a throwback to the Windows 95<\/a> and 98 era, Ars Technica<\/em><\/a> reports<\/a> that certain specially crafted filenames<\/strong> could make the operating system lock up or occasionally crash with a blue screen of death<\/a><\/strong>. Ars<\/em> reports that the bug allows a malicious website to try to load an image file with the \u201c$MFT<\/strong>\u201d name in the directory path. Windows uses \u201c$MFT\u201d for special metadata files that are used by the NTFS file system<\/a>. The effected systems do not handle this directory name correctly.<\/p>\n

The file exists in the root directory of each NTFS volume, but the NTFS driver handles it in special ways. Ars<\/em> explains that it’s hidden from view and inaccessible to most software. Attempts to open the file are normally blocked, but if the filename is used as if it were a directory name<\/strong>\u2014for example, trying to open the file c:\\$MFT\\123\u2014then the NTFS driver takes out a lock on the file and never releases it<\/strong>. Every subsequent operation sits around waiting for the lock to be released. Forever.<\/strong> This blocks all other attempts to get access to the file system, and so every program will start to hang, rendering the machine unusable until it is rebooted<\/strong>.<\/p>\n

\"DDoS\"<\/a>Ars<\/em> says that web pages that use the bad filename in an image source will provoke the bug and make the machine stop responding. Depending on what the machine is doing concurrently, it will sometimes blue screen. Either way, you’re going to need to reboot it to recover. Some browsers will block attempts to access these local resources, but Internet Explorer will try to open the bad file.<\/p>\n

Ars<\/em> couldn’t immediately cause the same thing to occur remotely (by sending IIS<\/a> a request for a bad filename), but it wouldn’t immediately surprise us if certain configurations or trickery were enough to cause the same problem.<\/p>\n

\"Windows<\/a>The Verge<\/em><\/a> has successfully tested<\/strong> the bug<\/a> on a Windows 7 PC with the default Internet Explore<\/strong>r browser. Using a filename with \u201cc:\\$MFT\\123\u201d in a website image<\/strong>, their test caused a machine to slow down to the point they had to reboot to get the PC working again.<\/p>\n

A Microsoft spokesperson told<\/a> Engadget<\/a><\/em> that the company is looking into the matter and will give an update as soon as it can.
\n“Our engineers are currently reviewing the information. Microsoft has a customer commitment to investigate reported security issues and provide updates as soon as possible.”<\/em><\/p>\n

The Redmond boys also had to release an emergency out-of-band<\/a> update for the Malware Protection Engine aka Windows Defender<\/a>. Two Google security researchers discovered the “crazy bad<\/a>” flaw. They claimed it was “the worst Windows remote code exec in recent memory.” The TechNet<\/a> article <\/a>says the vulnerability they patched would allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file (CVE-2017-0290<\/a>). To MSFT’s credit, they did fix the bug and release the patch with a week of being notified.<\/p>\n

rb-<\/em><\/strong><\/p>\n

Early reports are that this bug is an attack vector. However, this is a denial of service attack<\/a> that will need a reboot. This new flaw could be bundled with other more dangerous malware to force the user to reboot allowing the attacking malware to get loaded.<\/em><\/p>\n

Related articles<\/strong><\/p>\n