A security researcher is currently warning of a vulnerability under Windows 10, probably since version 1803, which should allow attacks on the NTFS file system. Executing a specific, short command via the command line causes damage to the file system – sometimes to such an extent that a new installation is necessary.

The Researchers also warn that the execution of commands can be triggered by a specially prepared file, provided that an attacker succeeds in smuggling it onto the target computer or persuading the user to download it. The attacker does not need admin rights; Direct user interaction with the file is also not necessary.

Compared to Bleeping Computer, the researcher stated that he had already pointed out the vulnerability to Microsoft in August and then again in October of last year. So far, the company has not responded – there was no corresponding security update on Microsoft’s Patch Tuesday in January. At the request of Bleeping Computer, however, a Microsoft spokesman said that they would investigate the security problems and provide updates for “affected devices” as soon as possible.

In the test: error message, but no permanent damage The command in question can be seen in our screenshot, whereby the drive letter can be adjusted as required depending on the desired target. The “$ i 30” in the command refers to an index that the NTFS file system uses to manage files and folders.

We have the command in a virtual machine with Windows 10 Pro 20 H2 x 64 at the current patch level (19042. 746) and tried without admin rights. The result was actually an error message asking you to reboot in order to “repair drive errors”. After the reboot, the Windows on-board tool chkdsk initiated a repair process which, however, was successfully completed in our attempt.

(Image: screenshot)

The The error message no longer appeared, and no further problems were observed. However, it cannot be derived from this brief test that permanent damage cannot occur in other cases. We strongly advise against executing commands outside of a VM.

It is interesting that it was not possible to trigger the error message (and thus “the attack”) a second time on the test system. It appears that chkdsk is actually fixing an existing problem. However, one thing that the tool did not notice beforehand: If you start a file system repair via “chkdsk / f” before executing the malicious command, the subsequent command execution still provokes the error message.

URL shortcuts as a conceivable attack path Compared to Bleeping Computer, the researcher emphasized that the execution of the malicious command using a specially prepared shortcut leads to a Website (.URL file) can only be triggered by the user opening the path in which the .URL file is located. The procedure for doing this: When creating the shortcut, the attacker specifies the malicious command as the path for loading the shortcut icon. When the folder is opened, the system tries to load the icon from the specified location – and thereby automatically executes the command.

The catch here is that there is hardly any reasonable reason why a user should should consciously download such a shortcut from the Internet. Hiding the shortcut between other files within a ZIP archive seems more realistic – or preparing a (Windows 10 -) .ISO file. However, such procedures again require the active participation of the user. So far there have been no reports of active attacks on the vulnerability.

Our overall assessment: The vulnerability always gives cause for caution; But there is no reason to panic. By handling web content responsibly and critically, and in this case in particular with .URL files (which is always appropriate), the risk can be greatly reduced despite outstanding updates.

Déjà-vu: Problems with chkdsk and NTFS in December 20 The current problem reminds you that Microsoft only recently fixed problems with chkdsk, that were triggered by a cumulative Windows 01 update. Some users who ran “chkdsk / f” reported that this operation suddenly corrupted the filesystem. Microsoft claims to have corrected the problem with a remote update. There is (so far) no evidence of a connection.

Update 14. 01. 21, 19: 25: Subheading changed and running text added (no active attacks known so far).

(ovw)