Flaw in Microsoft Master File Table could allow hackers to BSOD Windows

News by Rene Millman

Flaw in NTFS file system can be activated by a malformed URL, causing a system crash in Windows Vista, 7 and 8.1 but not Windows 10.

A flaw in the Microsoft's NTFS file system could enable hackers to crash computers running Vista, 7 or 8.1.

The bug in Windows Master File Table could be activated if an attacker includes $MFT as a link in a website.

The flaw was found by a security researcher going by the name of Anatolmik of Aladdin Information Security in Russia. According to a blog post by the researcher, the bug happens when a victim tries to open a nonexistent file with a malformed path.

When someone running a particular version of Windows tries to access a file starting with c:\$MFT\example, NTFS locks $MFT and doesn't release it. The $MFT file is found on all NTFS volumes and is used to keep track of all other files on the volume as well as other data such as the physical location on disk and logical location within a folder.

If a computer cannot open a file, this could lead to data loss. When a non-existent file within $MFT is called, the machine crashes and the only solution is to reset the machine.

“When the attempt is made to open the file with respect to $ mft file, NtfsFindStartingNode function does not find it, because this function searches a little differently, unlike NtfsOpenSubdirectory function that finds the file at all times,” said Anatolmik.

He said that NtfsOpenSubdirectory function opens the file and monopolises ERESOURCE. It then loops trying to find a file that is not in a directory and then interrupts the task with an error.

“When trying to create a file or read the volume of files, NTFS attempts to seize ERESOURCE $mft file and will hang at this stage forever.”

According to the researcher, both Internet Explorer and Firefox can be used to mount a remote attack using this method but not Chrome as this browser blocks access to such addresses. The bug doesn't work on Windows 10 system either.

At the present time, Microsoft has not fixed the issue.

Bogdan Botezatu, senior e-threat analyst at Bitdefender, told SC Media UK that content filtering systems at the endpoint level could be trained to discard references to the $MFT folder as there is no legitimate use for that. “This way, hackers won't be able to call the folder from a web page,” he said.

“The attack avenue is so vast that there is little to be done for a potential victim. This bug can be called from the Web, from e-mail or from specially crafted documents. Luckily, this is just an annoyance that is going to waste them some time rather than something that puts data integrity in danger. When a fix becomes available from the vendor, users should install it and ensure that this flaw becomes unexploitable,” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews