Bug in Windows 7 and 8.1 allows malivolently coded websites to crash the OS
Remember back in the 1990s when you could crash Windows from the web browser by invoking console (con) as a directory, e.g., file:///c:/con/con? In Windows 95 and 98 “con” was a reserved name. You could not name files or directories con because it referenced hardware and was used to call the I/O console (keyboard and screen). However, it was discovered that by using the reserved word (or any other reserved Windows name) as the directory name from within the browser, or by extension, in the coding of a web page, one could crash the operating system.
Well, apparently Russian security analysts at Aladdin RD have discovered a very similar bug in Windows 7 and 8.1. Like Windows 9.x, certain words cannot be used in Win 7 and 8. One such word is $MFT. This term is reserved because it is the name of a hidden metadata file used by NTFS. The file exists in each volume of an NTFS formatted drive in the root directory. Oddly, the bug does not work in Windows 10 even though it too uses NTFS.
The file is handled differently than regular files and attempts to access it are typically barred. However, like the con bug in Windows 9.x, $MFT can be used as a directory name, e.g., c:\$MFT\someFile. Doing so results in NTFS locking up. Meanwhile, the rest of the running applications and processes that need access to the file system are locked out and either hang, slowing Windows down, or crash outright, often resulting in a BSOD. Rebooting seems to be the only fix.
Using $MFT in this manner within a website has mixed results according to Ars Technica. Some browsers will not allow access to local directories, but not surprisingly Internet Explorer will bend over backward to fetch restricted file names. However, just because a browser cannot access local files by default does not mean that there is not a way to do it. For example, in Firefox you cannot access drive content using file:///. The syntax for local access is, file://///.
Microsoft is aware of the bug but has not commented on when or if it will fix the problem. Given the way the folks in Redmond have been trying to push Windows 7 and 8.1 users to Win 10, it would not be surprising if they opted not to fix it, but they would not do that, would they?
No comments: