This Windows 10 NTFS bug can instantly corrupt your hard drives

Image: Reddit / Is_It_Me_or_Not

Microsoft fixed a number of flaws through the first Patch Tuesday updates earlier in the week, but it appears that an unpatched bug that has been exploited for a long time has not yet been fixed. According to @jonasLyk, a short, single-line command delivered through a specially crafted file can corrupt any Windows 10 NTFS-formatted hard drive.

Delivered via a ZIP, shortcut file, HTML or other vectors, the command triggers errors on the hard disk, corrupting the file system index without even requiring administrative privileges.

The new RS_PRERELEASE Build 21292 was released with tons of fixes and an improvement in privacy settings

Windows 10 NTFS vulnerability “critically underestimated”

Jonas says that this Windows 10 bug is not new and has existed since the release of the Windows 10 April 2018 update, and also remains exploitable in the latest versions. BleepingComputer shared that the problematic command includes $ i30 string, a Windows NTFS index attribute associated with directories.

UNDERSTANDED NTFS VULNERABILITY CRITICALITY
–
There is an especially nasty vulnerability in NTFS now.
It can be triggered by opening a special name created in any folder anywhere. ‘
The vulnerability will appear instantly complaining about your hard drive being corrupted when the path is opened pic.twitter.com/E0YqHQ369N

– Jonas L (@jonasLyk) January 9, 2021

After running the command, Windows 10 will begin to display prompts to restart the device and repair the corrupted drive. Apparently, the problem also affects some versions of Windows XP and similar NTFS bugs have been known for years, but have not yet been resolved by the Windows manufacturer.

Good find by @jonasLyk :
CD

Result: NTFS corruption
Other vectors:
– Open an ISO, VHD or VHDX
– Extract a ZIP file
– Open an HTML file without a MoTW
– Probably more … pic.twitter.com/LY18Lo3J3m

– Will Dormann (@wdormann) January 9, 2021

It is not yet clear why the string is causing hard drive corruption. In response to the report, Microsoft said that “the use of this technique depends on social engineering and, as always, we encourage our customers to practice good online computing habits, including caution when opening unknown files or accepting file transfers.”

Tuesday update of January 2021 KB4598242 patch is active for Windows 10 versions 20H2 and 2004

However, at least one example shared by Jonas with BP confirms that when using a Windows shortcut file (.url) with its icon location set to C: : $ i30: $ bitmap, a user does not even need to open the file for it to trigger the vulnerability. Microsoft said it “will provide updates to affected devices as soon as possible”, so we hope there will finally be some fix for this NTFS bug stream.

– More details at BP