Microsoft fixes 0-day NTFS corruption bug

In January 2021, users and the media noticed that an unpatched 0-day bug in Windows 10 (and older OS versions, including Windows XP) allows corrupting the NTFS file system structure with a one-line command.

The problem was discovered last year by cybersecurity researcher Jonas Likkegaard. In August and October 2020, he already tried to draw attention to this bug, but achieved success only in 2021.

A bug and NTFS corruption can be triggered by simply trying to access the NTFS $ i30 attribute in a specific way. Below you can see an example of such a dangerous one-line command. Warning: do not test the bug on your own running system, rather use a virtual machine for this!

0-day NTFS bug

An exploit for this problem could be hidden inside a shortcut file, ZIP archive, batch files, and so on, and such files caused immediate damage to the file system structure.

While Microsoft engineers explained that the drive was not actually damaged and chkdsk would successfully fix the problem, some users reported that chkdsk didn’t work for them, and Windows 10 still refused to boot.

It was supposed that a fix for this error would appear in February, but this did not happen. Then the Mozilla developers added a special check to Firefox 85.0.1 to prevent access to the problematic path, and the OSR specialists prepared an unofficial open source patch for this error.

“OSR, a software development company specializing in Windows internals, has released an open-source filter driver that prevents the NTFS bug from being abused while waiting for an official fix from Microsoft”, — reported Bleeping Computer journalists.

Now, a fix has finally been added to Windows 10 Insider Build 21322 that prevents access to the problematic path. If user tries to run the above command, the system will respond with “Invalid directory name” and will no longer mark the drive as damaged.

0-day NTFS bug

But, unfortunately, so far the patch can be applied only for Windows 10 Insider “Dev”, but not Windows 10 21H1 “Beta”, which is due out this spring.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button