Locked Windows PCs can be affected by a malicious USB stick
A hardware expert and malware researcher, Marius Tivadar has published POC code on GitHub, that causes latest Windows 10 PCs to get crashed and goes into BSOD mode in seconds even if the system is locked. This code exploits the vulnerability in Microsoft’s handling of NTFS filesystem images.
NTFS bug & Windows autoplay feature doesn’t go well together
Tivadar says, “One can generate Blue Screen of Death using a handcrafted NTFS image. This denial-of-service type of attack can be driven from user mode, limited user account or Administrator. It can even crash the system if it is in the locked state.”
“Auto-play is activated by default”, He also says, “Even with auto-play [is,] disabled, [the] system will crash when the file is accessed. This can be done for [example,] when Windows Defender scans the USB stick, or any other tool opening it.”
The malware researcher’s PoC contained a malformed NTFS image, which was stored on a USB thumb drive, which when inserted in a Windows PC crashed the system within seconds.
He provided a generalized solution for this bug. He suggested that autoplay behavior must not start before user unlock the PC, although this handcrafted code has the same effect on the computer. Still running of such codes without users consent and in locked mode is pretty much risking more grievous future events.
Microsoft declined to fix
Tivadar had reported the DoS (denial-of-service) attack to Microsoft in July 2017 and included the NTFS image.
“Hey Marius, Your report requires either physical access or social engineering, and as such, does not meet the bar for servicing down-level”, this was last response of Microsoft’s team.
They approved the disclosure but still not launched a patch this means the bug is ‘Live’ to date.