A simple file naming bug can crash Windows 8.1 and earlier

The "blue screen of death" lives on thanks to a simple Windows file system bug.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

(Image: file photo)

In a blast from the past, a Russian researcher has uncovered a simple bug in the NTFS file system that consistently crashed Windows Vista to Windows 8.1 PCs.

Like the infamous Windows 95/98 /con/con bug, by simply entering a file name with "$MFT" the file-system bug locks up Windows at best or dumps it into a "blue screen of death" at worse.

$MFT is Windows NTFS's Master File Table. This special file tracks all files on the volume, their logical location in folders, their physical location on the hard, and file metadata.

But when Windows is tricked into trying to open it as an ordinary file with the NtfsFindStartingNode function, the function can't find it. Windows searches for it again starting with the root file-system, according to the researcher.

This time, around the NtfsOpenSubdirectory function opens the file as a directory, but on the next iteration of the loop, Windows detects that the file is not a directory, and thus interrupts the job with an error.

Windows will then try to close access down to the file with NtfsTeardownStructures. This fails -- because to close the file, it had to open the file system when mounting. Windows will then lock up while looping over and over again.

Essentially this means if you try to use $MFT as part of a directory name -- for example, C:\$MFT\foo -- the system crashes. The net effect is access to freeze $MFT "captured forever" and the computer is locked up until it's rebooted.

The most common way to exploit this bug is get users to use a web browser to open a webpage, which includes a fatal filename within it. For example, a web address calling for an image file named C:\$MFT\Bummer. would start the crash.

The Chrome web browser, however, will block such an attack because it won't load images with malformed directory paths.

Unfortunately, Internet Explorer and Firefox will allow PCs to try to load such files and will suffer for it.

There are two bits of good news here. The first is that Windows 10 is immune to this attack. The second -- and this is a mixed blessing -- is can only it crash systems. You can't use it -- yet, anyway -- to deliver ransomware or other malware to a Windows system as it the case with WannaCry.

There is no patch for this problem at the time.

Related stories:

Editorial standards