Slashdot Mirror

← Back to Stories (view on slashdot.org)

In a Throwback To the '90s, NTFS Bug Lets Anyone Hang Or Crash Windows 7, 8.1 (arstechnica.com)

Posted by msmash on from the windows-crash dept.

Windows 7 and 8.1 (and also Windows Vista) have a bug that is reminiscent of Windows 98 age, when a certain specially crafted filename could make the operating system crash (think of file:///c:/con/con). From an ArsTechnica report: The new bug, which fortunately doesn't appear to afflict Windows 10, uses another special filename. This time around, the special filename of choice is $MFT. $MFT is the name given to one of the special metadata files that are used by Windows' NTFS filesystem. The file exists in the root directory of each NTFS volume, but the NTFS driver handles it in special ways, and it's hidden from view and inaccessible to most software. Attempts to open the file are normally blocked, but in a move reminiscent of the Windows 9x flaw, if the filename is used as if it were a directory name -- for example, trying to open the file c:\$MFT\123 -- then the NTFS driver takes out a lock on the file and never releases it. Every subsequent operation sits around waiting for the lock to be released. Forever. This blocks any and all other attempts to access the file system, and so every program will start to hang, rendering the machine unusable until it is rebooted.

79 of 128 comments (clear)

  1. Nonsense! by Anonymous Coward · · Score: 5, Funny

    I just opened c:\$MFT\123 on my system and nothing bad happ

    1. Re:Nonsense! by thegreatbob · · Score: 1

      Just wait until you go try to shutdown or logoff.. lockups and BSODs await you!

      --
      There is no XUL, only WebExtensions...
    2. Re:Nonsense! by Anonymous Coward · · Score: 3, Informative

      Whoosh!

    3. Re:Nonsense! by thegreatbob · · Score: 1

      I'm full of those today, apparently.

      --
      There is no XUL, only WebExtensions...
  2. Ah! by DontBeAMoran · · Score: 5, Funny

    NTFS Bug Lets Anyone Hang Or Crash Windows 7, 8.1

    As I use Windows 10 I doBUY XBOX ONE! ON SALE TODAY ONLY!n't have such problems.

    --
    #DeleteFacebook
    1. Re:Ah! by I'm+New+Around+Here · · Score: 1

      I'm also safe. I don't have Windows 7 or 8.1. I have the original Windows 8, which isn't listed as vulnerable. Yeah for Windows 8!

      --
      If you think I voted for Trump because of this post, you're wrong. I voted for Dr. Jill Stein of the Green Party. Again.
    2. Re:Ah! by Anonymous Coward · · Score: 1

      Did you upgrade from Windows ME to Windows 8?

  3. Fun! by thegreatbob · · Score: 1

    Just think of all the fun someone could have on a thousand+ user application server -_____- Hopefully Microsoft will actually patch this, instead of continuing the trend of shitting on Win7/8 users in an effort to encourage them to move to 10.

    --
    There is no XUL, only WebExtensions...
    1. Re:Fun! by jbmartin6 · · Score: 1

      I tried it on some of my 2021R2s with no effects.

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    2. Re:Fun! by Gr8Apes · · Score: 2

      I tried it on some of my 2021R2s with no effects.

      I see you're on the super duper doubly secret early release program.

      --
      The cesspool just got a check and balance.
    3. Re:Fun! by yuhong · · Score: 1

      If you are able to compile programs with Visual C++, there are a lot of bugs that you can BSoD a terminal server with that will never get fixed.

  4. In the Windows XP era... by __aaclcg7560 · · Score: 1

    My favorite WinXP crash bug was the crash that happen every 45 days of continuous uptime.

    1. Re:In the Windows XP era... by Anonymous Coward · · Score: 1

      My favorite WinXP crash bug was the crash that happen every 45 days of continuous uptime.

      How did you ever manage to keep the machine up for that long?

    2. Re:In the Windows XP era... by __aaclcg7560 · · Score: 1

      How did you ever manage to keep the machine up for that long?

      By not turning them off. ;)

    3. Re:In the Windows XP era... by freeze128 · · Score: 2

      You completely screwed up that joke.
      It wasn't Windows XP, but rather Windows 95 that would crash after 49.7 days of continuous usage.

    4. Re:In the Windows XP era... by __aaclcg7560 · · Score: 1

      That must have been patched in the time since you last used XP.

      The last time I used WinXP was in 2012.

      I've got XP machines which run (patched) much longer, no problems.

      IIRC, The crash bug was pre-SP1.

    5. Re:In the Windows XP era... by __aaclcg7560 · · Score: 1

      You completely screwed up that joke.

      I wasn't joking. I had a scheduled task that would reboot my PCs every 45 days because of this crash bug. At my current job today we reboot workstations after 30+ days of uptime just to make sure that they patch properly each month.

      It wasn't Windows XP, but rather Windows 95 that would crash after 49.7 days of continuous usage.

      I stand corrected.

    6. Re: In the Windows XP era... by Anonymous Coward · · Score: 1

      Yep, GetTickCount overflows 32 bits after 47 days and kills Windows 9x, NT is 64 bit internally

    7. Re:In the Windows XP era... by epine · · Score: 1, Insightful

      I stand corrected.

      Good on you, but you do know that that is just the first step in the 5 Whys of mea culpa?

      The 32-bit uptime bug in Windows 95 was the poster child of a toy operating system.

      NTFS (and the giant NT/2000/XP fork in the road) was the poster child for Microsoft escaping their toy reputation.

      The entire joke here is that the more things change, the more they remain the same.

      Now this new $MFT fiasco is just a stupid edge case in something that actually works well enough, most of the time.

      The joke under the joke here is that Microsoft has a predilection for death by self-inflicted edge case that beggars imagination, almost as if its a fixture of the organization's eternal DNA.

      The whole point of the Emperor's New Clothes was Microsoft attempting to sell the world on the innovation that they had finally put away their childish things. But no, not entirely. You can still see the boy in the man. Bigger and hairier, but still flopping around like a fish out of water.

      You reveal that you were actually afflicted with this problem in a big way (the time overflow bug) and yet somehow the larger story around it was going whoosh over your head (no one who cottoned onto this story at the time would have filed this Out of Africa II family-tree distinction under "minor detail").

      Stage two of the 5 whys of mea culpa: Where was your head at the time?

      Stage three: Whatever happened then, are you still captive to childish things?

      etc. etc.

      For our purposes here, there's an extremely interesting fork in the road upon entering stage five.

      A) man, I was such an ass
      B) look Ma, we made a trillion dollars

      An honest-to-God trillion dollars.

      Microsoft has hit $1 trillion in all-time revenue, and with more profit than Apple — 9 May 2016

      Revenue 1, zipper 0.

    8. Re:In the Windows XP era... by SharpFang · · Score: 1

      Hibernate,
      Put on a shelf for 45 days
      Dehibernate.

      Even win10 includes hibernation time in its uptime.

      --
      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
    9. Re:In the Windows XP era... by squiggleslash · · Score: 3, Funny

      I thought it's Windows 10 that crashes after 49.7 days of continuous usage? Except they replaced the blue screen of death with one that says "Please do not turn off your computer. Installing update 3/49"

      --
      You are not alone. This is not normal. None of this is normal.
    10. Re:In the Windows XP era... by Darinbob · · Score: 1

      I got up to 30 days be being very careful. Then I accidentally opened up Notepad and down it went.

    11. Re: In the Windows XP era... by Brockmire · · Score: 1

      Lay off the pipe.

    12. Re:In the Windows XP era... by SeriousTube · · Score: 1

      That was windows 95.

    13. Re:In the Windows XP era... by Gr8Apes · · Score: 1

      I've got XP machines which run (patched) much longer, no problems.

      IIRC, The crash bug was pre-SP1.

      IIRC, that was actually a Windows NT4 problem, patched in the late 90s.

      --
      The cesspool just got a check and balance.
    14. Re:In the Windows XP era... by Gr8Apes · · Score: 1

      But it would BSOD on day 46....

      --
      The cesspool just got a check and balance.
    15. Re:In the Windows XP era... by Gr8Apes · · Score: 1

      I wasn't joking. I had a scheduled task that would reboot my PCs every 45 days because of this crash bug. At my current job today we reboot workstations after 30+ days of uptime just to make sure that they patch properly each month.

      It wasn't Windows XP, but rather Windows 95 that would crash after 49.7 days of continuous usage.

      I stand corrected.

      Actually, he's wrong, the bug was in NT4 also. There was also a paging counter bug that was a mismatch of a 26 bit number into a 32 bit number that caused all sorts of issues when the 26 bit number rolled over. (might have been 24bit, it's long ago and google wasn't around to index everything back then....)

      --
      The cesspool just got a check and balance.
    16. Re:In the Windows XP era... by __aaclcg7560 · · Score: 1

      IIRC, that was actually a Windows NT4 problem, patched in the late 90s.

      Everyone else says the crash bug was in Windows 95, which is Windows bolted on top of DOS. WinXP was based on NT. IIRC, NT4 wasn't stable until 4.5 came out.

    17. Re: In the Windows XP era... by Gr8Apes · · Score: 1

      NT4s kernel had at least 1 < 32 bit counter internally.

      --
      The cesspool just got a check and balance.
    18. Re:In the Windows XP era... by sims+2 · · Score: 1

      Funny i've seen the update counter beak on several occasions so it will actually say something like installing update 49 of 3.

      I currently have a windows 10 machine that's been stuck at 91% installing the 1607 anniversary update since this time yesterday.

      It's bound to finish eventually right?

      --
      Minimum threshold fixed. Thanks!
    19. Re:In the Windows XP era... by dbIII · · Score: 1

      Back in the day MS didn't really care so much about memory leaks so long usage was an issue on NT, Win2k and even as late as XP.
      Rebooting every few weeks was a very common workaround.

    20. Re:In the Windows XP era... by Gr8Apes · · Score: 1

      He's probably talking about NT4 SP5, I'll give him a break on something from 20 years ago. After all, I had to look it up to remember that there was a SP6a....

      --
      The cesspool just got a check and balance.
    21. Re: In the Windows XP era... by Gr8Apes · · Score: 1

      NT 3.1 was the best as far as security went. NT3.5x while stuck with a sucky interface was technically far far better than NT4. NT4 took the monolithic single threaded GDI model from Win95 and totally screwed its stability and security forever. Remember clicking on an outlook attachment (when connected to an exchange server) and waiting and waiting and waiting while the client downloaded the file and opened it before the machine would react to any input? I certainly do, and hated every time it happened, which was often, at least a few times a week if not a few times a day. OS/2 was an awesome OS at that time as it truly was a multi-threaded pre-emptive system (NT, btw, is not pre-emptive, it still time slices, although those slices are small at 16 ms for everything up to 2012, I don't recall if later releases went to 8ms or not)

      --
      The cesspool just got a check and balance.
    22. Re:In the Windows XP era... by scdeimos · · Score: 1

      Microsoft IIS (can't remember whether it was 3 or 4) had a similar bug where after ~49 days it would stop logging web site activity to the W3C format log files. Doesn't look like MSDN still has a KB article for it otherwise I would have linked it.

    23. Re:In the Windows XP era... by Reziac · · Score: 1

      And it was actually a bug in the hardware's timer chip, that happened to dovetail with Win95/98. Not all hardware had the bug, and those without did not experience the 49 day rollover. (My everyday W9* boxen apparently lacked the bug, as both would run for several months at a crack, and I never applied the patch.)

      --
      ~REZ~ #43301. Who'd fake being me anyway?
    24. Re:In the Windows XP era... by sr180 · · Score: 1

      We used to reboot all of our NT4 Sp 6a servers when the idle counter reached 500 hours. Not long after that, they always started behaving weirdly..

      --
      In Soviet Russia the insensitive clod is YOU!
    25. Re: In the Windows XP era... by Gr8Apes · · Score: 1

      This is actually one of the many flaws of NT. It's not truly pre-emptive, it's time-sliced with a scheduler. Even worse is that the "system clock" API calls per thread are fixed per timeslice, which unless you use the much newer "real time" APIs, will always show a constant 16ms segmentation in time. Under OS/2, the executing thread would be immediately kicked out (or seemingly) when a higher priority process came into the scheduler. This was back when I coded such low level things. Given the security framework's lack of progress, I doubt the scheduler has been much improved either. I could always be surprised.

      --
      The cesspool just got a check and balance.
  5. jajahaha!! by fubarrr · · Score: 1

    True enterprise level bugs

  6. Doesn't work for me by Stonent1 · · Score: 1

    I just get "The directory name is invalid."

    1. Re:Doesn't work for me by Anonymous Coward · · Score: 3, Interesting

      Try browsing to file:///c:\$MFT\123 in IE and see what happens...

    2. Re:Doesn't work for me by thegreatbob · · Score: 1

      Try echo a > c:\$mft\derp I may be wrong, but something like type c:\$mft\derp does not seem to do anything.

      --
      There is no XUL, only WebExtensions...
    3. Re:Doesn't work for me by Anonymous Coward · · Score: 3, Interesting

      Yup, this works. Just coming back after a hard reboot :o

    4. Re:Doesn't work for me by Wulf2k · · Score: 2

      Sure. Me too.

      Then try do something else. Like open iexplore.exe and browse to a webpage.

    5. Re: Doesn't work for me by Ken_g6 · · Score: 1

      The Linux equivalent has to involve /dev. Maybe copying /dev/urandom someplace will fill a disk or something.

      --
      (T>t && O(n)--) == sqrt(666)
    6. Re:Doesn't work for me by thegarbz · · Score: 1

      You need to run cmd.exe not bash.exe when opening your console.

  7. Yup... by beheaderaswp · · Score: 2

    Saw the article and spun up a test VM with Win 7.

    Exploit/bug/crash/vulnerability works as advertised. Scary. An easy way to bring down an entire operating system with a bat file and a little startup/service knowledge.

    --
    Another consultant who stuck it out.

    "We are the Priests, of the Temples of Syrinx..."
    1. Re:Yup... by thevirtualcat · · Score: 2

      I tried it in the server contemporaries to 7 and 8.1. (2008R2 and 2012R2)

      Nearly immediate BSOD in both cases.

    2. Re:Yup... by thevirtualcat · · Score: 1

      Ah, yes. Good old "ctty nul." If you hated someone enough, you can always add this to their AUTOEXEC.BAT file.

      ctty nul
      echo y|format c: /u

    3. Re:Yup... by SandorZoo · · Score: 1

      Classic Unix had the .login file, which might contain "logout". How do you bypass that if you have no admin rights? I have no idea, I wonder if it's possible to recover in any way.

      VMS allows you to add qualifiers to your username when logging in, so you can tweak your environment. In VMS this would do what you ask:

      Username: SANDORZOO /NOCOMMAND
      Password: <PASSWORD>

      I always thought that was a neat idea that other OSes should copy.

  8. Re:Bank Vault by mysidia · · Score: 1

    Me: what about this box inside the vault?

    More like the attendant tells you to wait, goes to get the key to this box inside the vault.
    Accidentally realizes they left the keys required to open the door to the box room your desk, but the
    key only works with the right fingerprint scan (Two-Factor), so the attendant is stuck inside the vault,
    and nobody outside can open the door even with the keys: they'll just have to wait for a manager to come
    by and reset the system.

  9. Re:What about doing something with WebGL + linux by thegreatbob · · Score: 1

    Just SSH in, kill X and reload your kernel modules. It's not elitist at all to assume that every user knows this trick.

    --
    There is no XUL, only WebExtensions...
  10. Seems to require Elevation by mysidia · · Score: 3, Informative

    I tested this... who wouldn't .
    It seems to be harmless when not logged in as an Administrator.

    The second I run copy C:\$MFT\123 C:\Users\blah
    as Administrator however, filesystem access freezes.

    So yeah..... don't run programs as Admin that use random user-specified filenames and you should be fine?

    1. Re:Seems to require Elevation by QuietLagoon · · Score: 2

      It seems to be harmless when not logged in as an Administrator.

      I tried it as a standard user on two Windows installs, one 64-bit Windows 7 Pro on real hardware, and the other Windows 7 Home 32-bit on a VM. Both gave me a BSOD immediately.

    2. Re:Seems to require Elevation by thegreatbob · · Score: 1

      Seemed to work for me without elevation on Windows 7, using a user in the sole group "Users"

      --
      There is no XUL, only WebExtensions...
    3. Re:Seems to require Elevation by Skuld-Chan · · Score: 1

      On Server 2012 R2 I found as a standard user - if I tried to save a file to c:\$mft - I got an access denied error, then the machine bsod'd.

      So yeah you could "exploit" this from user space, but I guess the worse it will do is restart the machine/vm.

  11. Magic Filenames in Unix? by bill_mcgonigle · · Score: 1

    Do any real unix filesystems have magic filenames? I know unlinked files will be dumped in lost+found by convention, but it's just a directory. HFS+ didn't grow up on unix, so all of its magic files don't really count (NeXT used UFS, right?)

    All I can think of is mount/.zfs on ZFS, but it's built to handle traversal - any others? Any kernel code that relies on structures that can be impacted from userspace is a potential problem, so if there are some we should watch out for them and double-check that code.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    1. Re:Magic Filenames in Unix? by Shimbo · · Score: 1

      /, when it isn't a path separator, and \0 would be my first two corner cases to check.

    2. Re:Magic Filenames in Unix? by Megol · · Score: 1

      One could argue that Unix uses "magic" filenames everywhere - devices are mapped to filenames and most modern systems map almost everything internal as files. Windows NT doesn't map devices to files by default but a few are mapped into the Win32 subsystem to keep backwards compatibility, those things aren't files per se but emulated so that they can be treated as files - hence the "magic" nature of them.

      The MFT file isn't "magic" BTW, this is a locking problem at worst or not a problem at all if one likes the original Unix security philosophy. One have to have the access rights to be able to lock up the system...

    3. Re:Magic Filenames in Unix? by UnknownSoldier · · Score: 1

      > Do any real unix filesystems ...

      What is your criteria to evaluate a "pseudo" unix from a "real" unix??

      > ... unix filesystems have magic filenames?

      Uh, what do you think

      .
      ..
      /dev

      are?

      Reference:

      What are reserved filenames for various platforms?"

    4. Re: Magic Filenames in Unix? by guruevi · · Score: 1

      There are various magic file names (think things in /dev or /var) but reading/writing to them (if you are permitted) is by design how you interact with them.

      To my knowledge there is no module that is permitted to hang up the kernel (BSOD) simply by reading it, at worst you get the serial port to poop out some bad characters.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    5. Re:Magic Filenames in Unix? by nawcom · · Score: 1

      Those aren't "magic filenames" - they're just device nodes that populate at boot time and unlike reserved strings like the ones in Windows, their paths have value. And that link you gave makes no reference to them. the only "filenames" that you cannot use in unix OSes are . and ..

    6. Re:Magic Filenames in Unix? by SharpFang · · Score: 2

      Unix doesn't use magic fileNAMES. It uses magic files. Naming them is quite arbitrary and there are very few surprises that can result from that. (naming a file "*" is rally asking for trouble...) Now for assumptions programs make about what file contains what, and OS behavior as it accesses these special files... c'mon, rename sda1 to null...

      --
      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
    7. Re:Magic Filenames in Unix? by Megane · · Score: 1

      Unix-like operating systems use file attributes to indicate special stuff like devices and pipes. Do a "ls -l /dev" and you will see what I mean. They also usually have access permissions set up to prevent access by anyone but a root process.

      --
      #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
    8. Re:Magic Filenames in Unix? by Megol · · Score: 1

      That's true. No real magic filenames in Unix - except perhaps magical simplicity? :P

    9. Re:Magic Filenames in Unix? by tepples · · Score: 1

      What is your criteria to evaluate a "pseudo" unix from a "real" unix??

      A real UNIX system is one whose publisher has taken a trademark license from The Open Group.

    10. Re:Magic Filenames in Unix? by SharpFang · · Score: 1

      Did you learn that after, or before encountering your first "*" file? :]

      --
      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
  12. Re:Problem in all software by green1 · · Score: 2

    Checking your inputs before working with them? that there is CRAZY talk!

  13. NTFS = by davidwr · · Score: 1

    No timeout, full stop.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  14. Re:A missing letter by Megol · · Score: 1

    Master File Table. Look at the VMS design, realize that Windows NT was primarily designed by ex-VMS people and be enlightened.

  15. Anyone hang or crash windows? by damn_registrars · · Score: 2

    Pfft. I don't need an NTFS bug for that, it happens on its own.

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
  16. Doesn't work for me by grumpy-cowboy · · Score: 2

    $ c:\$MFT\123
    c:$MFT123: command not found

    $

    --
    Will $CURRENT_YEAR be the year of the Linux Desktop?
  17. Works on NT 3.51 too by Scoth · · Score: 3, Interesting

    Just for funsies I loaded up my Windows NT 3.51 VM I have around for no good reason and tried it, and it immediately hard-locked. Must be a very old bug.

    1. Re:Works on NT 3.51 too by MobyDisk · · Score: 1

      Just for funsies I loaded up my Windows NT 3.51 VM I have around for no good reason and it immediately hard-locked.

      FTFY

  18. Server 2008 and 2008 R2 by Anonymous Coward · · Score: 1

    So for some reason no one mentioned that this bug also affects Server 2008 and 2008 R2. Even though most IT people would know that those are more or less identical OSs to Windows 7 and 8 respectively, it still should be listed.

  19. Mmmm..... by Frosty+Piss · · Score: 1

    This just gives me a warm fuzzy blast from the past. And present. An maybe future of my Windows install. But I don't really worry, I only use my Windows box for runny Adobe stuff.

    --
    If you want news from today, you have to come back tomorrow.
  20. " Isn't higher patch count BETTER ? " by macker · · Score: 1

    Yes!

    The more bugs in the original release, the merrier!

    Really?

    --
    (T)he (O)ld (M)an
  21. Yep by Wargames · · Score: 1

    Dropped to cmdline in Win7 and did dir $MFT, stuff that runs from cache still worked but anything requiring disk locked up hard. Had to reboot. Sad. Thanks Obama!

    --
    -- Each tock of the Planck clock is a new world and here we are still life. --
  22. Re:A missing letter by SandorZoo · · Score: 1

    In VMS (or rather Files-11) it's called INDEXF.SYS. It is a visible, readable file (as system/root). I've never tried to delete it, to see what happens. Must do that one day, before all the systems I have access to are gone :(

    The fact that if you advance one letter in the alphabet with 2001's "HAL" you get "IBM", and if you do the same with "VMS" you get "WNT" is supposedly a coincidence.

  23. Re:A missing letter by Megol · · Score: 1

    Yes but the two filesystems in question aren't the same (while clearly related). The INDEXF.SYS file is located in the MFD (Master File Directory), the NTFS MFT combine several types of metadata that is located in the MFD as separate files. The name is derived from the Files-11 design but changed as it no longer is a directory.