BSOD

A Romanian hardware expert has published proof-of-concept code on GitHub that will crash most Windows computers within seconds, even if the computer is in a locked state.

The code exploits a vulnerability in Microsoft's handling of NTFS filesystem images and was discovered by Marius Tivadar, a security researcher with Bitdefender.

NTFS bug & Windows autoplay feature don't go well together

The expert's PoC contains a malformed NTFS image that users can take and place it on a USB thumb drive. Inserting this USB thumb drive in a Windows computer crashes the system within seconds, resulting in a Blue Screen of Death (BSOD).

"Auto-play is activated by default," Tivadar wrote in a PDF document detailing the bug and its impact.

"Even with auto-play [is] disabled, [the] system will crash when the file is accessed. This can be done for [example,] when Windows Defender scans the USB stick, or any other tool opening it."

Microsoft declined to fix

Tivadar contacted Microsoft about the issue in July 2017, but published the PoC code today after the OS maker declined to classify the issue as a security bug.

Microsoft downgraded the bug's severity because exploiting it requires either physical access or social engineering (tricking the user).

The researcher doesn't agree with Microsoft's decision. He first argues that physical access isn't necessarily required, as an attacker could deploy the PoC from afar using malware.

NTFS bug also crashes locked PCs

Tivadar also explained that the NTFS bug was more dangerous than Microsoft thinks because it also works while the PC is locked, a state when the researcher argues the OS shouldn't be reading data from random USB drives that were inserted into its ports.

"I strongly believe that this behavior should be changed, [and] no USB stick/volume should be mounted when the system is locked," the researcher said. "Generally speaking, no driver should be loaded, no code should get executed when the system is locked and external peripherals are inserted into the machine."

Tivadar published two videos on his personal Google Photos account showing the NTFS bug crashing a PC in normal and locked down states. Another PoC is also available on his Google Drive account.

For now, Tivadar's PoC will become one of the hottest pieces of code on GitHub, as any prankster will be looking to add it to his arsenal.

UPDATE [May 2, 2018]: Tivadar told Bleeping Computer today that the bug still works today, against the latest Windows 10 version, v1803 - the April 2018 Update.

Related Articles:

Microsoft Releases KB4100347, KB4134660, and KB4134661

Shadowy Hackers Accidentally Reveal Two Zero-Days to Security Researchers

Windows CLI Apps Vulnerable to New Ctrl-Inject Process Injection Attack

Multiple OS Vendors Release Security Patches After Misinterpreting Intel Docs

Microsoft Releases a "Windows Command Reference" For Over 250 Console Commands