Microsoft has fixed an error that could allow a threat actor to create specially created downloads to block Windows 10 simply by opening the folder in which they were downloaded.
In January, we reported a new Windows 10 vulnerability discovered by Jonas Lykkegård which allows any user or program, even those with reduced privileges, to mark an NTFS drive as damaged simply by accessing the special folder.
What is particularly worrying is how easy it is to trigger the error. By simply going to the folder from a command prompt, accessing it from the Run: field, opening it from File Explorer, Windows 10 will mark the drive as dirty and prompt you to restart your computer and run chkdsk, as shown below. .
Accessing an NTFS path triggers a corruption warning
To make matters worse, threatening and rogue actors began distributing fake tools, malicious shortcuts, or malware. [1, 2, 3, 4] on Discord and on social networks which, when executed, would access the folder and trigger the error.
Threatening actors could also use the bug to force a crash of a breached system to hide their activities.
While the error-generated error stated that the drive was damaged, Microsoft clarified that the volume was only marked as dirty and a restart, and chkdsk would quickly mark it as clean.
Unfortunately, in one of our and other people’s tests, chkdsk did not resolve the issue, and Windows 10 refused to start again.
Microsoft fixes NTFS corruption error
In February, Microsoft quietly began testing the fix in Windows Insider versions. This week, as part of the patch on Tuesday, April 2021, Microsoft finally fixed the vulnerability in all supported versions of Windows 10.
Microsoft has classified this error as a DDoS vulnerability and is treating it as CVE-2021-28312 entitled “Windows NTFS Denial of Vulnerability”.
After installing Patch Tuesday updates this week, BleepingComputer can confirm that the bug is no longer working, as it will now only display an error stating that “Directory name is invalid”, as shown below.
BleepingComputer strongly recommends that all Windows users install the latest Patch Tuesday security updates. Not only for this vulnerability, but also for the other 107 vulnerabilities fixed this month.