Microsoft fixes Windows 10 bug that can corrupt NTFS drives

Windows 10

Microsoft has fixed a bug that could allow a threat actor to create specially crafted downloads that crash Windows 10 simply by opening the folder where they are downloaded.

In January, we reported on a new Windows 10 vulnerability discovered by  Jonas Lykkegård that allows any user or program, even those with low privileges, to mark an NTFS drive as corrupted simply by accessing the special ​folder.

What is particularly concerning is how easy it is easy to trigger the bug. By simply changing to the folder in a command prompt, accessing it from the Run: field, opening it from File Explorer, Windows 10 would mark the drive as dirty and prompt you to reboot your computer and run chkdsk, as shown below.

​ Accessing an NTFS path triggers a corruption warning

Accessing an NTFS path triggers a corruption warning

To make matters worse, threat actors and pranksters began distributing fake tools, malicious shortcuts, or malware [1234] on Discord and social media that, when executed, would access the folder and trigger the bug.

Threat actors could also use the bug to force a crash of a breached system to hide their activities.

While the error generated by the bug stated the drive was corrupted, Microsoft clarified that volume was only marked as dirty, and a reboot and chkdsk would quickly mark it as clean.

Unfortunately, in one of our and other people’s tests, chkdsk did not fix the issue, and Windows 10 refused to boot again.

[embedded content]

Microsoft fixes the NTFS corruption bug

In February, Microsoft quietly started testing the fix within Windows Insider builds. This week, as part of the April 2021 Patch Tuesday, Microsoft has finally fixed the vulnerability in all supported versions of Windows 10.

Microsoft has classified this bug as a DDoS vulnerability and is tracking it as CVE-2021-28312 with the title ‘Windows NTFS Denial of Service Vulnerability.’

After installing this week’s Patch Tuesday updates, BleepingComputer can confirm that the bug no longer works as it will now just display an error stating that “The directory name is invalid,” as shown below.

Accessing the path no longer marks a drive as corrupted
Accessing the path no longer marks a drive as corrupted

BleepingComputer strongly recommends that all Windows users install the latest Patch Tuesday security updates. Not only for this vulnerability but the 107 other vulnerabilities fixed this month.


Source: BleepingComputer

Leave a Reply