Windows 7 and 8.1 ridiculously simple to crash using 4-character string

Due to an error in the way Windows operating systems handle file names, a maliciously crafted website can send computers to destination-BSOD upon accessing a directory name modified to fetch a sensitive system file.

Reminiscent of the infamous bug from the ‘90s that duped people into crashing their own machines by running the command line “C: /con/con,” the all-new $MFT bug causes Windows machines to lock up and remain that way until a reboot – sometimes going into full-blown blue screen of death (BSOD).

Although the news hit the wires only recently, the bug apparently emerged a week ago when a Russian coder independently discovered that the Master File Table ($MFT) file, responsible for tracking all files on an NTFS volume, can be leveraged to crash Windows 7, Windows Vista and Windows 8.1 machines in seconds if the filename is used as a directory name in a website.

The hacker, going by the name of Anatolymik, discovered that, if you access a maliciously-crafted website carrying the character string “$MFT” in the directory where a the site keeps its images, Windows crashes the moment it reads that file. The vulnerability is shared by Microsoft’s proprietary web browser, Internet Explorer, and the fox-themed Mozilla Firefox. Google Chrome is apparently not vulnerable to attempts at exploiting this bug.

Microsoft is aware of the issue but has yet to release an official statement or say when a patch will be available. For the time being, users can only hope not to experience the BSOD-inducing bug by surfing the web with their eyes peeled – i.e. only visit websites they trust.

Since Windows Vista is no longer supported by Microsoft with timely patches, we should only expect Windows 7 and Windows 8 machines to receive the fix. Windows 10 systems are unaffected by the flaw.

Leave a Reply