[German]Developers at OSR have released an open-source filter driver that prevents the recently publicized NTFS bug, which can be used to corrupt NTFS volumes, from being exploited. This provides temporary protection for affected Windows 10 and Server systems until Microsoft finally comes around with a fix.
What is the NTFS bug?
There is a previously unpatched vulnerability in the implementation of the NTFS file system used by Windows 10. This vulnerability allows attackers to destroy the contents of an NTFS volume used under Windows 10. It is enough to place an appropriately crafted file on an NTFS volume to trigger the flaw. Security researcher @jonasLyk had repeatedly pointed out this vulnerability.
I had reported the details of this vulnerability recently in the blog post Windows 10: Vulnerability allows to destroy NTFS media content. To an attacker exploiting this vulnerability, a one-line command is enough to corrupt an NTFS-formatted hard drive. This can be done by placing a crafted file (even remotely) in a folder on the affected drive.
In the best case, only an error check of the NTFS volume is performed and the disk is repaired. However, there are also cases where the machine could not boot afterwards. Our own tests and feedback from readers showed that almost all Windows 10 versions and also the server counterparts are affected. Only older Windows versions cannot exploit the bug.
Open source filter driver from OSR as a fix
OSR is a software development company specializing in Windows internals that has taken on the problem. The developers write that the NTFS file system (or file or directory) is certainly not corrupted at the time the corruption warning is displayed. The triggered warning is unsightly and forces a chkdsk on the next boot. The developers write that they have a system at OSR that does not boot after tests after a second chkdsk has been executed.
So the developers have developed a filter driver as a temporary solution that intercepts the critical $I30:$bitmap commands that can be sent to the NTSF device driver. The whole thing has been released as an open source solution as release v1.0.0 – OSRDrivers/i30Flt (github.com) on Githib.
According to OSR, there is no way to fully fix this issue without an update for Windows. In the meantime, however, users can download and use the mitigation filter above from GitHub. Signed binaries for x86 and x64 are available for you to install. More details can be found in this OSR blog post. (via)
Cookies helps to fund this blog: Cookie settings