A Romanian security researcher, working for Bitdefender, has discovered a new vulnerability that can crash Windows 7 and Windows 10 computers, even when they’re locked. To crash the computer, it’s enough to insert a specifically crafted USB stick. Microsoft has stated it won’t fix the issue.
Marius Tivadar, the security researcher who discovered the vulnerability, has posted a proof-of-concept, and a document explaining the issue, on open source hosting service Github. He explains that an attacker with physical access to the computer can insert a specially crafted USB stick to exploit the vulnerability. On the USB stick, a 10MB NTFS image with specially renamed root folders will confuse Windows, so that once the USB stick is inserted, Windows will show a Blue Screen of Death (BSOD).
Tivadar claims it even works when the computer is locked and disabling autoplay doesn’t stop the exploit. That is because USB sticks are, on most computers, automatically scanned by e.g Windows Defender or other antivirus tools. To exploit the vulnerability simply reading the directory structure on the USB stick is sufficient.
According to Tivadar, Microsoft was aware of the vulnerability since July 2017. However, the software giant doesn’t plan to patch it as it doesn’t consider the issue a security issue. That’s mainly because the attacker needs physical access to the system and it does no more than crashing the computer. With physical access to the computer, an attacker could also simply turn off the system.
The issue is confirmed to work (because Tivadar tested them personally) on Windows 7 Enterprise and Windows 10 Pro and Enterprise Evaluation Insider Preview. It’s likely other Windows 7 and Windows 10 versions are affected too. Nevertheless, Tivadar found that Windows 10 Creators Update (build 1709) is not vulnerable.
Possibly Microsoft did fix the issue, or it’s a side effect of other changes to Windows.