🛑 Windows 10 vulnerability can corrupt drives

Forums › Microsoft Windows › 🛑 Windows 10 vulnerability can corrupt drives - please read

freitasm

BDFL - Memuneh
79306 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#280869 16-Jan-2021 15:48

Right now there's a Windows 10 vulnerability that can corrupt NTFS-based drives on Windows systems. Microsoft is working to create a patch.

Until Windows machines are completely patched, it is recommended not to open links without checking domain target.

The vulnerability can be invoked through command line, through a link to an invalid URL or even by inserting a broken image in a webpage. By the time the browser tries to render the image/link the filesystem is already compromised.

The only SAFE WAY to browse is to either use Windows Sandbox or a virtual machine (with a checkpoint you can go back to if needed). Any link or image could potentially be harmful.

More information here. If you see something like below then it's too late:

gzt

17157 posts

Uber Geek

Lifetime subscriber

#2636553 16-Jan-2021 16:23

Linked article refers to a .url local file and other local methods. Microsoft are advising this requires social engineering to execute. Ie; file download or command run locally. I just read an article with a claim this can work with only a url in the browser address bar. No idea if that's true at this time.

freitasm

BDFL - Memuneh
79306 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2636554 16-Jan-2021 16:31

It doesn't need to be local. Remote will work.

freitasm

BDFL - Memuneh
79306 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2636564 16-Jan-2021 16:57

Whoever says this can not be activated remotely, is underestimating the flaw.

Update: It seems it can only be remotely activated with Microsoft Edge non-Chromium.

Workaround: do not use Microsoft Edge (non-Chromium) or Internet Explorer. Do not open downloaded file from unknown/untrusted source (any browser).

waikariboy

902 posts

Ultimate Geek

ID Verified

Trusted

#2636596 16-Jan-2021 19:48

freitasm:

Whoever says this can not be activated remotely, is underestimating the flaw.

Update: It seems it can only be remotely activated with Microsoft Edge non-Chromium.

Workaround: do not use Microsoft Edge (non-Chromium) or Internet Explorer. Do not open downloaded file from unknown/untrusted source (any browser).

This video show Edge Chromium and it working

https://www.youtube.com/watch?v=8tyqVus-QdA

Balm its gone!

freitasm

BDFL - Memuneh
79306 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2636599 16-Jan-2021 19:57

That is a local file, not a hosted file.

When opening a local file browsers can access the file system. When opening a remote file that access is blocked.

The exception to this rule are Microsoft Edge (non-Chromium) and Internet Explorer.

gehenna

8518 posts

Uber Geek

Moderator

Trusted

Lifetime subscriber

#2636611 16-Jan-2021 20:52

Thanks for sharing this. Far out, the year in infosec has started strong!

gzt

17157 posts

Uber Geek

Lifetime subscriber

#2636725 16-Jan-2021 23:36

Edge is automatically disabled if Edge Chromium is installed. Edge is not included in fresh installs of 20H2.

Internet Explorer don't know.

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

freitasm

BDFL - Memuneh
79306 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2636726 17-Jan-2021 00:05

Still, there is quite a lot of people using old Edge (IE volume is not representative these days).

ech3lon

369 posts

Ultimate Geek

Subscriber

#2636995 17-Jan-2021 19:10

Since no one has posted, the whole thing is a whole lot of nothing.

It's essentially an NTFS bug that trigger/set hard-drive "dirty" flag, which usually means Windows will schedule chkdsk on next start up.
It is a bug, as explained here (https://www.youtube.com/watch?v=PtHTqmp-Jt8), as marking a disk as "dirty" normally requires elevated priviledges/admin.

I'd suppose it would be an addition to the collection of "tools" those phone/website scammers could use that make it looks impressively legitimate.

Gordy7

1906 posts

Uber Geek

ID Verified

Lifetime subscriber

#2637004 17-Jan-2021 19:23

Would using exFAT instead of NTFS get around the issue?
Does exFAT have any other advantages?

Gordy

My first ever AM radio network connection was with a 1MHz AM crystal(OA91) radio receiver.

SirHumphreyAppleby

2849 posts

Uber Geek

#2637007 17-Jan-2021 19:32

Gordy7: Would using exFAT instead of NTFS get around the issue?
Does exFAT have any other advantages?

Yes.

Does exFAT have any advantages? I'd say not. For internal file systems, NTFS is still your best option.

timmmay

20589 posts

Uber Geek

Trusted

Lifetime subscriber

#2637011 17-Jan-2021 19:57

Everyone here, and hopefully all our families, should have sufficient backups that losing your entire hard drive is an inconvenience. Have you done a restore lately? I schedule restore tests of my home machine backups for twice a year, and so far, so good.

Hammerer

2476 posts

Uber Geek

Lifetime subscriber

#2637332 18-Jan-2021 12:54

Clearing the NTFS dirty bit, if that is the only problem, isn't too hard.

https://www.raymond.cc/blog/manually-reset-or-clear-dirty-bit-in-windows-without-chkdsk/2/

Varkk

643 posts

Ultimate Geek

#2637351 18-Jan-2021 13:21

I have heard of some drives not being bootable after being hit with this and rebooting. After a scan it then reboots and gives a 0x0000007B BSOD.

Hammerer

2476 posts

Uber Geek

Lifetime subscriber

#2637362 18-Jan-2021 13:48

Varkk:

I have heard of some drives not being bootable after being hit with this and rebooting. After a scan it then reboots and gives a 0x0000007B BSOD.

Yes, having the Windows system disk affected will be a bigger job.

Booting from a USB drive/recovery disk and running the fix might also require changing BIOS/UEFI options.