Building a slide deck, pitch, or presentation? Here are the big takeaways:
- A recently published flaw in several versions of Windows allows an attacker to crash the system when Autoplay mounts a USB drive containing a malformed NTFS image.
- Microsoft doesn’t see the issue as necessitating a security patch, but it’s not seeing the big picture: This Autoplay exploit could be used by malware to wreak havoc on Windows systems.
Plugging a USB drive containing a malformed NTFS image into a Windows machine can cause it to bluescreen in mere seconds, according to Marius Tivadar of BitDefender.
Tivadar recently published his NTFS image on GitHub after dissatisfaction with Microsoft’s response. He initially reported the bug in July 2017, and “they did not want to assign CVE for it nor even to write me when they fixed it,” Tivadar said.
Microsoft replied to Tivadar, saying “Your report requires either physical access or social engineering, and as such, does not meet the bar for servicing down-level (issuing a security patch).”
Attempts to test the code have had varying results, with one commenter on Bleeping Computer saying the bug doesn’t work as Tivadar claims. Whether or not Tivadar’s code is as effective as he said it is doesn’t matter, as another Bleeping Computer commenter said.
The important point is that there’s a serious security risk in Windows systems: Autoplay will mount any volume inserted into the system, even if the machine is locked.
How Autoplay is crashing Windows machines
Tivadar gives a thorough breakdown of the technical aspects of his proof-of-concept (POC) exploit in a PDF accompanying the POC’s GitHub project.
Using a 10MB NTFS image with some modified root directory names, Tivadar was able to crash Windows 7 and Windows 10 systems tested in July 2017. It didn’t matter whether the systems were locked or not–Autoplay mounted the image and crashed the screen in seconds.
SEE: Securing Windows policy (Tech Pro Research)
Autoplay, which is enabled by default in all versions of Windows, is the root of the problem here. Disabling Autoplay can prevent the NTFS image from automatically crashing Windows systems, but manually opening it has the same result.
Manually crashing the system is still troubling, and Microsoft should act to prevent the NTFS exploits Tivadar used from crashing Windows, but it isn’t the key issue–Autoplay is.
“Generally speaking, no driver should be loaded, no code should get executed when the system is locked and external peripherals are inserted into the machine,” Tivadar said. The security concern doesn’t end there, however: Tivadar’s POC may require physical access to a machine and may not be a huge security risk, Microsoft is wrong to treat it as a trivial issue.
“It is not necessary to have an usb stick,” Tivadar said. “A malware for example could drop a tiny NTFS image and mount it somehow, thus triggering the crash.” If that malware was properly coded it could do more than just crash Windows: It could unleash other exploits as the system reboots or do things that can only be speculated on, and it could do them all because Microsoft failed to see the bigger, more serious, picture behind Tivadar’s particular discovery.
Let’s hope it doesn’t come to that. Until then, it may not be a bad idea to disable Autoplay on your Windows computers.