Windows 10 bug corrupts your hard drive on seeing this file's icon.

[OnesAndZeroes10]

Summary

 New vulnerability allows attackers to corrupt any NFTS formatted disc with a single command.

 

Quotes

Quote

An unpatched zero-day in Microsoft Windows 10 allows attackers to corrupt an NTFS-formatted hard drive with a one-line command.

In multiple tests by BleepingComputer, this one-liner can be delivered hidden inside a Windows shortcut file, a ZIP archive, batch files, or various other vectors to trigger hard drive errors that corrupt the filesystem index instantly.

 

Sources

Windows 10 bug corrupts your hard drive on seeing this file's icon (bleepingcomputer.com)

[Quackers101]

command is, RUN windows XP

[StDragon]

According to the comments within that link, others have not been able to replicate permanent corruption. Meaning, it's able to detect and correct the error from a chkdsk /f command.

 

It's possible that due to a prior bug in Windows that would corrupt if you ran a chkdsk /f, this new bug may have a compounding result. Essentially, two separate Windows bugs working together to destroy the volume.

 

I wouldn't take my chances though. Be sure to have a full back up of your computer. Hopefully a patch is issued ASAP!

[Mark Kaine]

1 hour ago, StDragon said:

According to the comments within that link, others have not been able to replicate permanent corruption. Meaning, it's able to detect and correct the error from a chkdsk /f command.

 

It's possible that due to a prior bug in Windows that would corrupt if you ran a chkdsk /f, this new bug may have a compounding result. Essentially, two separate Windows bugs working together to destroy the volume.

 

I wouldn't take my chances though. Be sure to have a full back up of your computer. Hopefully a patch is issued ASAP!

yeah i read this, it isn't really clear at all to me, and, in that regard, the article is written really badly and kinda sensationalist. 

 

So it can fix the problem, but it's not guaranteed basically?  What was the version with the corrupted chkdisk again? 

[wanderingfool2]

1 hour ago, Mark Kaine said:

yeah i read this, it isn't really clear at all to me, and, in that regard, the article is written really badly and kinda sensationalist. 

Slightly sensationalist...but it does actually have a good point in terms of exploitability (in the sense how easy it would be to make someone corrupt their computer).  You could easily add in a clickable link in a word document to exploit it (and trust me, if it was sent to a list of people at work I can guarantee someone would click it).

 

Anytime chkdsk need to be run though, there is always a chance it doesn't repair things correctly

[RejZoR]

Windows Defender is probably already detecting this string so I wouldn't worry even if the issue isn't actually fixed.

[LogicalDrm]

@OnesAndZeroes10, this thread fails to comply with guidelines for Tech News section. Your summary is very thin, and you are missing your personal input. This should be your own thoughts about the news, maybe why you wanted to share this. If you don't fix the thread, it will be moved out from Tech News section.

[WereCatf]

2 hours ago, RejZoR said:

Windows Defender is probably already detecting this string so I wouldn't worry even if the issue isn't actually fixed.

Nope, Windows Defender does not detect the string nor does it prevent Explorer from parsing it. Easy enough to verify e.g. in a VM, if you wish.

[Master Disaster]

7 minutes ago, WereCatf said:

Nope, Windows Defender does not detect the string nor does it prevent Explorer from parsing it. Easy enough to verify e.g. in a VM, if you wish.

I'm gonna fire up Windows 10 on my ESXi box and try it out. I might even record it.

[RejZoR]

31 minutes ago, WereCatf said:

Nope, Windows Defender does not detect the string nor does it prevent Explorer from parsing it. Easy enough to verify e.g. in a VM, if you wish.

That's weird, given that they literally do this on shutdown strings/commands and will flag your tools if you make a shutdown tool for legit use. Also updating signatures takes minutes and protects everyone. Why wouldn't they use it is just funny then.

[Mark Kaine]

5 hours ago, wanderingfool2 said:

Slightly sensationalist...but it does actually have a good point in terms of exploitability (in the sense how easy it would be to make someone corrupt their computer).  You could easily add in a clickable link in a word document to exploit it (and trust me, if it was sent to a list of people at work I can guarantee someone would click it).

 

Anytime chkdsk need to be run though, there is always a chance it doesn't repair things correctly

yeah slightly sensationalist is what I meant. Also in the first paragraph they explain that you can get it any time while browsing, because... 

 

And then get kinda lengthy about shortcuts and zips, it's just not written well not the first time I notice this with this outlet, but that's whatever, I just had wished for more clear information... like for example why defender can or cannot recognize this string (seems easy enough) or why Microsoft refused to do anything when their alleged mantra is security over everything... 

 

 

[mariushm]

14 minutes ago, Mark Kaine said:

yeah slightly sensationalist is what I meant. Also in the first paragraph they explain that you can get it any time while browsing, because... 

 

And then get kinda lengthy about shortcuts and zips, it's just not written well not the first time I notice this with this outlet, but that's whatever, I just had wished for more clear information... like for example why defender can or cannot recognize this string (seems easy enough) or why Microsoft refused to do anything when their alleged mantra is security over everything... 

 

 

It can't be just that string, because it can be ANY variation of that string 

For example, you can say C:\$i30\$bitmap  but you can also say C:\.\windows\..\$i30\\\\$bitmap and it would probably still work    ( . is current folder, .. is go back a folder, the path is parsed and resolved and simplified). You could also randomly use  / instead of \ because Windows supports both  (as a sort of compatibility with Linux or programs ported from linux)

... so do you expect antiviruses to parse any text as possible paths and attempt to simplify them? 

The article just gives that path as something short and simple ... you can't go whack-a-mole making the antivirus have every possible combination of path that could corrupt something ... you fix the underlying problem.

 

[Mark Kaine]

9 minutes ago, mariushm said:

For example, you can say C:\$i30\$bitmap  but you can also say C:\.\windows\..\$i30\\\\$bitmap

And why can just "$i30" not be blocked? I don't really understand why the rest matters...

[mariushm]

Just now, Mark Kaine said:

And why can't "$i30" not be blocked? I don't really understand why the rest matters...

Do you have any statistics about how many people in this world or how many applications create files that contain $i30 in their names or folders? 

 

How about we make it even easier and disable writing $ in the file and folder names or let's just say that anything with a $ has a virus in it ? Would that be acceptable for you?

 

[Mark Kaine]

8 minutes ago, mariushm said:

How about we make it even easier and disable writing $ in the file and folder names or let's just say that anything with a $ has a virus in it

Personally I wouldn't mind, but that's taking things a bit far imo... 

 

 

8 minutes ago, mariushm said:

Do you have any statistics about how many people in this world or how many applications create files that contain $i30 in their names or folders? 

So it *is* that easy... see that's exactly what I didn't understand in this article, yes block them all I say, should at least give the user the option to do so if they wish. 

 

Edit: unless really nearly every program in existence uses this string, then that wouldn't be a good solution obviously!

[WereCatf]

4 minutes ago, Mark Kaine said:

So it *is* that easy... see that's exactly what I didn't understand in this article, yes block them all I say, should at least give the user the option to do so if they wish. 

You'd just be trying to fix the symptom instead of the actual cause. That's the incorrect approach.

[Mark Kaine]

5 minutes ago, WereCatf said:

You'd just be trying to fix the symptom instead of the actual cause. That's the incorrect approach.

would fixing that broken registry entry be an acceptable "fix"? 

 

I mean now I'm just wondering how they'd actually fix it... 

[Mark Kaine]

3 hours ago, Master Disaster said:

I'm gonna fire up Windows 10 on my ESXi box and try it out. I might even record it.

If you're doing this... after you got some results, try renaming your C drive to H: or something, I'm pretty sure that'd fix / prevent it! 

 

(no, not my idea, but seems like it could work... for now...) 

[StDragon]

1 hour ago, Mark Kaine said:

And why can just "$i30" not be blocked? I don't really understand why the rest matters...

 

1 hour ago, mariushm said:

Do you have any statistics about how many people in this world or how many applications create files that contain $i30 in their names or folders? 

 

How about we make it even easier and disable writing $ in the file and folder names or let's just say that anything with a $ has a virus in it ? Would that be acceptable for you?

 

Per Microsoft on NTFS Streams

 

"In the case of directories, there is no default data stream, but there is a default directory stream. Directories are the stream type $INDEX_ALLOCATION. The default stream name for the type $INDEX_ALLOCATION (a directory stream) is $I30. (This contrasts with the default stream name for a $DATA stream, which has an empty stream name.) The following are equivalent:

 

Dir C:\Users

Dir C:\Users:$I30:$INDEX_ALLOCATION

Dir C:\Users::$INDEX_ALLOCATION

 

Although directories do not have a default data stream, they can have named data streams. These alternate data streams are not normally visible, but can be observed from a command line using the /R option of the DIR command."

 

In addition $I30 also contains the $INDEX_ROOT and $BITMAP attribute. So no, it can't be blocked. Well, it might be blocked from user space but not the kernel. But that's purely a guess.

[Mark Kaine]

8 minutes ago, StDragon said:

In addition $I30 also contains the $INDEX_ROOT and $BITMAP attribute. So no, it can't be blocked. Well, it might be blocked from user space but not the kernel. But that's purely a guess.

yeah, I didn't know this $i30 thing was apparently a really important thing of the structure in windows, or NTFS... I'm sure there are ways to fix this issue but it doesn't seem easy, also makes me want to just ditch NTFS all together lol (I know that'd be a pain, and I *don't* know if programs including windows itself would even work on something like FAT32 etc...) 

 

PS: it's really interesting they don't even know why this even triggers the "corruption" yet apparently ... 

[Master Disaster]

7 minutes ago, StDragon said:

 

Per Microsoft on NTFS Streams

 

"In the case of directories, there is no default data stream, but there is a default directory stream. Directories are the stream type $INDEX_ALLOCATION. The default stream name for the type $INDEX_ALLOCATION (a directory stream) is $I30. (This contrasts with the default stream name for a $DATA stream, which has an empty stream name.) The following are equivalent:

 

Dir C:\Users

Dir C:\Users:$I30:$INDEX_ALLOCATION

Dir C:\Users::$INDEX_ALLOCATION

 

Although directories do not have a default data stream, they can have named data streams. These alternate data streams are not normally visible, but can be observed from a command line using the /R option of the DIR command."

 

In addition $I30 also contains the $INDEX_ROOT and $BITMAP attribute. So no, it can't be blocked. Well, it might be blocked from user space but not the kernel. But that's purely a guess.

So if I'm understanding this properly the command sets a folders attributes to that of a file in the data stream, in other words it just tells Windows that this folder is actually a file?

[Doobeedoo]

Oh wow that'd be horrible.

[wamred]

10 hours ago, comander said:

Also have a cold spare of anything you TRULY care about. 

Please always do this for the things you care about! 

[Master Disaster]

45 minutes ago, Mark Kaine said:

If you're doing this... after you got some results, try renaming your C drive to H: or something, I'm pretty sure that'd fix / prevent it! 

 

(no, not my idea, but seems like it could work... for now...) 

I'm installing as we speak. My ESXi box is only a 6th gen NUC so it's not the fastest at installing Windows

 

Edit - I'm like 99% sure that Windows HAS to be on the C drive.

Edit 2 - Wait, you mean change the volume name?

[Mark Kaine]

35 minutes ago, Master Disaster said:

Edit - I'm like 99% sure that Windows HAS to be on the C drive.

Edit 2 - Wait, you mean change the volume name?

Yeah, and the drive letter, which in turn would mean windows is not on C anymore... 

 

 

the comments I read suggested that should work, so it'd be interesting to test I guess.

 

 

Edit:  @Master Disaster

 

everything I read suggests that Windows can be installed on *any* drive! 

 

 

Quote

Yes, it is quite possible. You can even get to a windows installation with only drive F:\ by accident. 

 

Edit 2: wrong quote... sorry (fixed). 

 

well I think it should work

 

 

PS: I think the issue is third party programs that expect windows to be on C, so they get bugged out or corrupted..