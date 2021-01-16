Geekzone: technology news, blogs, forums
freitasm

BDFL - Memuneh
74117 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

#280869 16-Jan-2021 15:48
Send private message

Right now there's a Windows 10 vulnerability that can corrupt NTFS-based drives on Windows systems. Microsoft is working to create a patch.

 

Until Windows machines are completely patched, it is recommended not to open links without checking domain target. 

 

The vulnerability can be invoked through command line, through a link to an invalid URL or even by inserting a broken image in a webpage. By the time the browser tries to render the image/link the filesystem is already compromised.

 

The only SAFE WAY to browse is to either use Windows Sandbox or a virtual machine (with a checkpoint you can go back to if needed). Any link or image could potentially be harmful. 

 

More information here. If you see something like below then it's too late:

 

 




gzt

gzt
13695 posts

Uber Geek

Lifetime subscriber

  #2636553 16-Jan-2021 16:23
Send private message

Linked article refers to a .url local file and other local methods. Microsoft are advising this requires social engineering to execute. Ie; file download or command run locally. I just read an article with a claim this can work with only a url in the browser address bar. No idea if that's true at this time.

freitasm

BDFL - Memuneh
74117 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #2636554 16-Jan-2021 16:31
Send private message

It doesn't need to be local. Remote will work.




freitasm

BDFL - Memuneh
74117 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #2636564 16-Jan-2021 16:57
Send private message

Whoever says this can not be activated remotely, is underestimating the flaw.

 

Update: It seems it can only be remotely activated with Microsoft Edge non-Chromium.

 

Workaround: do not use Microsoft Edge (non-Chromium) or Internet Explorer. Do not open downloaded file from unknown/untrusted source (any browser).




waikariboy
749 posts

Ultimate Geek

ID Verified

  #2636596 16-Jan-2021 19:48
Send private message

freitasm:

 

Whoever says this can not be activated remotely, is underestimating the flaw.

 

Update: It seems it can only be remotely activated with Microsoft Edge non-Chromium.

 

Workaround: do not use Microsoft Edge (non-Chromium) or Internet Explorer. Do not open downloaded file from unknown/untrusted source (any browser).

 

 

 

 

This video show Edge Chromium and it working

 

 

 

https://www.youtube.com/watch?v=8tyqVus-QdA




Balm its gone!

freitasm

BDFL - Memuneh
74117 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #2636599 16-Jan-2021 19:57
Send private message

That is a local file, not a hosted file.

When opening a local file browsers can access the file system. When opening a remote file that access is blocked.

The exception to this rule are Microsoft Edge (non-Chromium) and Internet Explorer.




gehenna
7364 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  #2636611 16-Jan-2021 20:52
Send private message

Thanks for sharing this. Far out, the year in infosec has started strong!

gzt

gzt
13695 posts

Uber Geek

Lifetime subscriber

  #2636725 16-Jan-2021 23:36
Send private message

Edge is automatically disabled if Edge Chromium is installed. Edge is not included in fresh installs of 20H2.

Internet Explorer don't know.



freitasm

BDFL - Memuneh
74117 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #2636726 17-Jan-2021 00:05
Send private message

Still, there is quite a lot of people using old Edge (IE volume is not representative these days).




ech3lon
335 posts

Ultimate Geek

Subscriber

  #2636995 17-Jan-2021 19:10
Send private message

Since no one has posted, the whole thing is a whole lot of nothing.

 

It's essentially an NTFS bug that trigger/set hard-drive "dirty" flag, which usually means Windows will schedule chkdsk on next start up.
It is a bug, as explained here (https://www.youtube.com/watch?v=PtHTqmp-Jt8), as marking a disk as "dirty" normally requires elevated priviledges/admin.

 

I'd suppose it would be an addition to the collection of "tools" those phone/website scammers could use that make it looks impressively legitimate.

Gordy7
1530 posts

Uber Geek

ID Verified
Lifetime subscriber

  #2637004 17-Jan-2021 19:23
Send private message

Would using exFAT instead of NTFS get around the issue?
Does exFAT have any other advantages?




Gordy

 

My first ever network connection was a 1MHz AM crystal(OA91) radio receiver.

SirHumphreyAppleby
1985 posts

Uber Geek


  #2637007 17-Jan-2021 19:32
Send private message

Gordy7: Would using exFAT instead of NTFS get around the issue?
Does exFAT have any other advantages?

 

Yes.

 

Does exFAT have any advantages? I'd say not. For internal file systems, NTFS is still your best option.

timmmay
18561 posts

Uber Geek

Trusted
Subscriber

  #2637011 17-Jan-2021 19:57
Send private message

Everyone here, and hopefully all our families, should have sufficient backups that losing your entire hard drive is an inconvenience. Have you done a restore lately? I schedule restore tests of my home machine backups for twice a year, and so far, so good.

Hammerer
2378 posts

Uber Geek

Lifetime subscriber

  #2637332 18-Jan-2021 12:54
Send private message

Clearing the NTFS dirty bit, if that is the only problem, isn't too hard.

 

https://www.raymond.cc/blog/manually-reset-or-clear-dirty-bit-in-windows-without-chkdsk/2/


Varkk
598 posts

Ultimate Geek


  #2637351 18-Jan-2021 13:21
Send private message

I have heard of some drives not being bootable after being hit with this and rebooting. After a scan it then reboots and gives a 0x0000007B BSOD.

Hammerer
2378 posts

Uber Geek

Lifetime subscriber

  #2637362 18-Jan-2021 13:48
Send private message

Varkk:

 

I have heard of some drives not being bootable after being hit with this and rebooting. After a scan it then reboots and gives a 0x0000007B BSOD.

 

 

Yes, having the Windows system disk affected will be a bigger job.

 

Booting from a USB drive/recovery disk and running the fix might also require changing BIOS/UEFI options.

