Cybrary Pro Day is here!
Ready to Start Your Career?

Denial of Service Using Malformed NTFS Files

seoweb2writer 's profile image

By: seoweb2writer

May 14, 2018

A Romanian cyber security expert released a proof-of-concept- code that exposes the vulnerabilities in Windows7 / Windows 10, which can easily cause the blue screen of death, even when the system is locked. This rogue code helps user or hacker deliver a denial of service type attack that can crash the windows machine within minutes, even when the system is in a locked state. Cyber security experts worry that the attacker may modify the code and might even add malware to inflict maximum harm. Marius Tivader of Bitdefender, recently published this code on Github, explaining how a user, administrator, or limited user can generate a blue screen of death with the help of a handcrafted NT File System (NTFS) image.The code is more a malformed image than a malware, explains malware researchers. When a USB drive, with such a malformed NTFS image, is connected to the windows computer, it crashes within a matter of seconds explains Marius Tivader. When the USB is inserted, the autoplay feature is enabled and it triggers an attack. It happens as the code exploits the Microsoft’s vulnerabilities in handling the new file system.Cyber security experts warn even if autoplay is not enabled, the PC would crash upon accessing the malformed image file.  For example, when windows defender scans the system, some other tool or the user himself opens this file, the attack may take place.  Marius detailed the effects, and the behavior of the bug in a report, and demonstrated the same in a video. Cyber security experts point out the root cause of the problem as the enabling of autoplay by default in all versions of Microsoft Windows. One possible solution could be to disable autoplay, however, manually accessing, and opening the file would still lead to a denial of service attack, which causes the blue screen of death or forces windows to crash.Malware experts suggest one possible solution is to make changes to the behavior of the windows feature that is responsible for the attack, autoplay. They suggest that the autoplay feature should not work when the user locks the system, as no feature should work without user content, unlike it happens in case of the NTFS malformed image.The fix should make sure that when an external peripheral is inserted into a locked system no driver should load, no code should run, which guarantees no undesirable action takes place. Marius Tivader, discovered the issue first in the year 2007 when it triggered BDOS on Windows 7 and above operating systems. Accordingly, he has reported the issue to Microsoft expecting the software giant to act and work on issuing a patch to fixing the issue. However, the Redmond based software giant did not pay the attention the issue needed and declined to issue a patch on the grounds that the issue requires physical access or at least social engineering. However, Microsoft did seems to have resolved the issue now, and it no longer works on the latest Windows 10 build 16299 and Microsoft recommended systems.However, there may be some windows systems that are still vulnerable to this rogue code in its present form includingWindows 10 Enterprise Evaluation Insider Preview 10.0.16215, Build 16215 x64Windows 7 Enterprise edition 6.1.7601 SP1 Build 7601*64Windows 10 Pro 10.0 15063, Build 15063*64.
Schedule Demo
Build your Cybersecurity or IT Career
Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry