Zero day Windows 10 bug

Topic

New Reply

Topic: A Zero-day Windows 10 bug corrupts your hard drive on seeing this file’s icon @ AskWoody This is one of those … okay let’s be careful out the
[See the full post at: Zero day Windows 10 bug]

Susan Bradley Patch Lady/Prudent patcher

3 users thanked author for this post.

gamezenchill, jburk07, scoobydoo

Reply | Quote

Replies

If you received an attachment in an e-mail and wanted to be sure it was safe, it seems that you would have to download it to your device first in order to check it out at either of those sites. If it has a bug in it, is it OK to sit there (perhaps temporarily) on your device so as to check it out as long as you didn’t open the file?

Reply | Quote

I typically do the downloading/uploading on a device I don’t care about/air-gapped from the rest of the computers.  If it’s a link it’s easy to check.  As you say if it’s an attachment it’s a bit harder to do.  Interestingly enough many of the attachments I see these days are benign pdfs and word docs that then want you to click on an html link and it’s THAT link that is the malicious one.  They obviously do this to bypass detection.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

WCHS

Reply | Quote

Susan, These days, starting some three months ago, I have been receiving unusually high numbers (for me) of email designated as “Junk” by my email client: some 15-20 a day in my one email address. Most of them have, among other URL links, one to”unsubscribe.” They are mostly about ways of getting free government money, big discounts when subscribing to buy whatever I don’t care for from somewhere or other I’ve never heard of, etc. I look at their addresses and subjects in the “Junk” box left-hand bar without opening any of them and trash them right away, except for a few occasional legitimate letters, mostly from friends and colleagues in other countries, that certainly do not come with URL links to “unsubscribe”, but tend to end up systematically in the Junk box, who knows why. This has been discussed before in another thread; the general agreement there was that clicking any hyperlinks, including “unsubscribe” in some dubious email is not a great idea.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

WCHS wrote:

If you received an attachment in an e-mail and wanted to be sure it was safe, it seems that you would have to download it to your device first in order to check it out at either of those sites. If it has a bug in it, is it OK to sit there (perhaps temporarily) on your device so as to check it out as long as you didn’t open the file?

This is where logging into a webmail account has it’s advantages over client installed email programs. IOW, by using webmail, it’s never downloaded to your device,(unless you wish to do so) it’s only visable in your online mail account, which can be checked via VT/ purged from therein.

If debian is good enough for NASA...

3 users thanked author for this post.

JohnW, Charlie, jburk07

Reply | Quote

I do have web-based e-mail – a Yahoo version that is supported by a major telecommunications company. I tested the procedure out by sending an e-mail to myself with one of my files attached. I went to the e-mailer’s Documents folder (which has a listing of every document attached to any e-mail I have received). There is a URL for the file. I then submitted the URL to VirusTotal and it provides a report for the file.

Your post was very helpful in pointing me in the right direction for checking an attachment without actually downloading it. I had never realized before that every file attachment in an e-mail has a URL!

Reply | Quote

Microfix wrote:

WCHS wrote:

If you received an attachment in an e-mail and wanted to be sure it was safe, it seems that you would have to download it to your device first in order to check it out at either of those sites. If it has a bug in it, is it OK to sit there (perhaps temporarily) on your device so as to check it out as long as you didn’t open the file?

This is where logging into a webmail account has it’s advantages over client installed email programs. IOW, by using webmail, it’s never downloaded to your device,(unless you wish to do so) it’s only visable in your online mail account, which can be checked via VT/ purged from therein.

How would you check a webmail attachment against VirusTotal without downloading it?

Reply | Quote

b wrote:

How would you check a webmail attachment against VirusTotal without downloading it?

@b:
At the risk of getting off topic by replying here, I have created a new topic at #2335064.

Perhaps @Microfix could chime in.

Thanks.

1 user thanked author for this post.

Microfix

Reply | Quote

Microfix wrote:

This is where logging into a webmail account has it’s advantages over client installed email programs. IOW, by using webmail, it’s never downloaded to your device,(unless you wish to do so) it’s only visable in your online mail account, which can be checked via VT/ purged from therein.

something I have wondered about, how sure are you that there IS a difference. Will just seeing a header be a potential problem? If you auto view emails all bets are off for both modes would be my guess.

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

For this particular bug, a shortcut (or zip file contents) has to be viewed on the local file system to trigger the false disk corruption notice. So checking an attachment without downloading it could be beneficial (and email headers are not involved).

Reply | Quote

This vulnerability seems very serious to me, so to open the conversation, if I understand this correctly, the danger is not of a reversible encryption of data, as with ransomware, but its actual corruption, making it irreversibly useless.

If that is correct, then I would think that this zero-day may open the way for attacking primarily large business corporations, including financial ones, and government installations both civil and military, where the loss of useful data stored in hard disks or SSD could be a dire thing. But this might be considerably less of a threat for home and small business users, as they are much smaller fish.

The latter users may still be menaced by crooks exploiting this vulnerability, for example as extortion-backing threats, the same as they may be threatened by ordinary extortionists and blackmailers by other means, but my guess is that the probability of some person or small business becoming the target of a cyber attack exploiting this zero-day vulnerability is considerably less than that of a bank.

There could be other ways exploiting this vulnerability that can be particularly dangerous to certain people or organizations, but someone more familiar with this topic can explain them.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

gamezenchill

Reply | Quote

The corruption can be fixed, but obviously it’s not something that anyone would willingly want happen to their systems.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Bleeping Computer has also tested the bug in a variety of different ways, and notes that it will prompt Windows 10 users to reboot a PC to repair the corrupted disk records. The reboot will trigger the Windows chkdsk process, which should successfully repair the corruption.

 

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

klang, OscarCP

Reply | Quote

I just added this to the Post:

I spotted on Windows 10 NTFS $i30 File Corruption | AttackerKB

Attackers can remotely exploit this vulnerability to make Windows think a drive is corrupted even though it is not. Successfully resolving this issue will require users to reboot Windows and run a disk check on the corrupted drive, after which Windows will be convinced that the drive is no longer corrupted.

It’s not really corrupted after all.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

wavy

Reply | Quote

As described in the article, it seems more like an annoying joke. or a way to make people waste time and effort for nothing. In some emergency situations where it is essential to use a computer quickly, it could be  bad enough. What other reasons for doing this are there?

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Susan Bradley wrote:

Attackers can remotely exploit this vulnerability to make Windows think a drive is corrupted even though it is not.

I’ve not been able to find any documented method of this being triggered remotely (except via legacy Edge which apparently allows a remote server to reference a local file).

Reply | Quote

WCHS wrote:

to check it out at either of those sites.

If you send the a file with the line to VirusTotal the site will open the file and it will crash their servers.

Reply | Quote

Do you have any reason to think VirusTotal runs on Windows, the minority web server OS?

Reply | Quote

OscarCP wrote:

it seems more like an annoying joke

It is a bug, not a joke, in Windows, probably since XP. Where there is a bug there are hackers that will be more then willing to exploit it.

1 user thanked author for this post.

OscarCP

Reply | Quote

Alex5723 wrote:

VirusTotal the site will open the file and it will crash their servers.

Virus Total doesn’t crash, it only give scan-results by multiple engines, for the free anonymous account of VirusTotal too;

For instance: the URL of this page [ https://www.askwoody.com/forums/topic/zero-day-windows-10-bug/#post-2335002%5D gives this result:

This method is very accurate, for files too.
Using Autoruns with the scan option to verify at the Virus Total site is very reliable.

x

* _ ... _ *

1 user thanked author for this post.

WCHS

Reply | Quote

looks like alex had you hooked in Fred 🙂
Thanks for checking for the benefit of those who were unsure.

If debian is good enough for NASA...

2 users thanked author for this post.

OscarCP, Fred

Reply | Quote

no problem, I have an pro account at VirusTotal for many years

* _ ... _ *

Reply | Quote

@Fred,

I know how VirusTotal work but ‘it only give scan-results’ mean the service ‘opens and reads’ the bug file multiple times. That scan is run on servers. If these servers run Windows they will crash.

Reply | Quote

Displaying an icon triggers the crash. Do you think VirusTotal does that?

Reply | Quote

Alex5723 wrote:

OscarCP wrote:

it seems more like an annoying joke

It is a bug, not a joke, in Windows, probably since XP. Where there is a bug there are hackers that will be more then willing to exploit it.

really, is it sensible to click a link to reboot and use checkdisk a drive for faults automaticly?
do this checkdisk manually is more secure I recon

* _ ... _ *

Reply | Quote

Fred wrote:

really, is it sensible to click a link to reboot and use checkdisk a drive for faults automaticly?
do this checkdisk manually is more secure I recon

chkdsk /f runs after restart and it makes no difference how that restart is initiated.

Reply | Quote

Avast/AVG blocks any page that mentions the command which triggers the corruption flag:

Avast blocking Youtube video

Reply | Quote

[Alex5723]

That is censorship.
Does Avast block BleepingComputer, Verge, AskWoody…?

• This reply was modified 4 years, 1 month ago by Alex5723.

Reply | Quote

AV can be disabled if you want to live dangerously.

Are those sites you mention considered dangerous in any way?

I presume you disable SmartScreen in both Windows and Edge, and that you don’t use any ad or script blocker in any browser?

Reply | Quote

Alex5723 wrote:

That scan is run on servers. If these servers run Windows they will crash.

This is quite an assumption.
I am sure TotalVirus will not tell how they do their job. This kind of server layout/policy is stricktly a company secret;
Anyway, I never published for outsiders any kind of server/network architecture that I was responsible for, not even to the central government. For instance, the same story is valid for some VPN layout, and how to handle the so called IP blacklisting in a seperate content editing environment like WordPress, that everybody here is so sure about.

* _ ... _ *

Reply | Quote

“We are aware of this issue and will provide an update in a future release,” says a Microsoft spokesperson in a statement to The Verge. “The use of this technique relies on social engineering and as always we encourage our customers to practice good computing habits online, including exercising caution when opening unknown files, or accepting file transfers.”

Microsoft to fix Windows 10 bug that can corrupt a hard drive just by looking at an icon

1 user thanked author for this post.

OscarCP

Reply | Quote

A fix has been posted on Github for OSRDrivers / i30Flt

Reply | Quote

Author’s documentation here: Mitigating the $I30:$Bitmap NTFS Bug

Installation and uninstallation instructions here: i30Flt README.md

1 user thanked author for this post.

Alex5723

Reply | Quote

Discussion on Twitter here

Reply | Quote