When is a bug not a bug? That’s the question in play with a proof of concept (PoC) published by researcher Marius Tivadar, which can crash several versions of Windows, even if they’re locked, all within seconds of launching the code.
This PoC requires a USB key with a faulty NTFS image on it to be physically inserted into a Windows PC that also has autoplay enabled. Regardless of the privilege level currently active (from user to administrator), seconds after the target PC tries to read data on the USB stick, the dreaded blue screen of death (BSOD) occurs, crashing the computer.
That’s why Tivadar classifies this bug as a denial of service attack, but a crash is as far as this specific issue goes, and at no point does any privilege escalation or unauthorized data access occur.
Tivadar says he reached out to Microsoft in July 2017 to disclose his findings, all in the hope that Microsoft would officially give this security issue a CVE and start working on a patch to fix the problem.
But because this bug requires a USB key to be physically inserted into a machine to work, Microsoft responded that this finding didn’t “meet the bar” for issuing a security patch – so no CVE and no patch will be forthcoming.
At the time of this writing, according to Tivadar, this issue remains unresolved, and his PoC bug still causes Windows BSODs even in the most recent version of the operating system.
This has stirred an interesting debate about whether the mere existence of a PC-crashing bug automatically merits a robust response and patch from Microsoft. Tivadar’s PoC works and that’s not in dispute by anyone – it’s what to do about it that’s in question.
Microsoft’s reason for rejecting this security issue for a CVE and patch response is, according to Tivadar, that it requires physical access to a machine to work. If an attack requires physical access to a machine, it’s not easily replicable or weaponizable at scale.
Plus, if you have physical access to a machine and you’re looking to cause problems, you can do a lot more than just cause it to crash.
That’s all well and good, says Tivadar, but it’s just as much the principle of the thing that seems to be of concern, especially Microsoft’s apparent dismissal of the bug due to physical access requirements. Writes Tivadar on his GitHub documentation page:
As a security researcher, I think that every vulnerability that requires physical access and/or social engineering is important. We all know the stories Kevin Mitnick taught us regarding social engineering, so yes, these types of bugs are important.
Where do you fall in this debate? Is Microsoft’s response reasonable, or is it leaving Windows users at risk with their refusal to patch this issue?
Anonymous
It’s a reported bug and should be fixed. I agree with Microsoft that it’s not technically a “vulnerability”, but I think they’d still want to fix something that would allow a prankster to crash any Windows computer in default settings with an exposed USB port.
Eric
Personally, I’m hoping that what’s actually going on is that it has been added to a bug list and will be taken care of in a later version (making the NTFS driver more error-tolerant and refusing to mount a drive instead of just exploding) but they’re not considering it *as a critical vulnerability* and thus not rushing to patch it Right This Instant. The wording used here tends to make me think that’s the case – you don’t need a CVE for a general bug – but there’s no good way to really tell.
Paul Ducklin
MS’s actual reply is reproduced on the researcher’s Github page (link above). It’s not at all a WON’T FIX… just that it won’t make it into a Patch Tuesday style listed fix.
David Bradbury
I’m with Microsoft on this. If I wanted to simply crash a PC that I had physical access to, there are simpler ways to accomplish this without the use of a USB stick.
G-Man
If I want to crash a PC I’ll pull the plug. Please write a fix for this MS.
Alan W. Rateliff, II
This is a lazy and irresponsible response from Microsoft. If physical access is such a non-issue then why the kerfuffle over auto-run in the first place? Or anti-virus scanning of removable drives? For that matter, given this position Microsoft can eliminate all sorts of things from Windows: user accounts, Encrypted File System, etc. Perhaps Microsoft should ask Iran what it thinks about local vulnerabilities.
That it can only produce a BSOD means currently there is no known way to exploit the crash. I would like to give Microsoft the benefit of the doubt and say it has tested and found no way to compromise the system with this crash as there are a few different ways to crash Windows’ file systems which have existed since at least Windows XP. Nonetheless, without better technical explanation this is still worrisome as it can be used as a denial of service on critical equipment.
Bryan
While I agree with your first sentence, the rationale in disabling autorun stems primarily from people’s tendency to be more curious than wary upon finding “lost” media in the parking lot.
Chris
Whilst I guess that in an ideal world Microsoft would fix this, with my SysAdmin’s hat on this doesn’t bother me too much. If someone with physical access to my systems decides that they want to attack/inconvenience me and all they can find to do is crash a few workstations, then I’ll take that as a win. On a practical note, any evil miscreant could achhieve virtually the same effect by holding down the power button for a few seconds, no USB required!
Servers is another matter entirely of course, but if you’re plugging random USB keys into your critical infrastructure, or worse still allowing someone else to do it, then you’ve already got bigger problems.
Mahhn
Well, when this code gets added to malware and planted on any connected USB storage device (including mice and printers with such, maybe even virtual drives). Then they’ll look into it, but not as a bug, as malware.
Huawei the Lads
What’s Patch Tuesday?
Come to think of it what’s Microsoft?
My OS discretely updates itself (and applications) as required
Just moved an elderly relative onto Lubuntu as a means to help her keep her system up-to-date and safe.
Anonymous
And yet when Microsoft runs updates in the background as required to keep the user as well as other users safe (herd immunity), they are labeled an evil corp trying to force updates on people without a choice.
Bryan
Good point. Personally my biggest beef with Microsoft is how aggressive they are in business to steamroll competition. I understand business is driven by profits (and that good corporate decisions often “feel” cold or even cruel), however when there’s no remaining alternative** consumers rarely benefit.
** not just operating system or MS Office. I mean every little utility or app out there that worked great before Microsoft bought them or railroaded them out of business. The Microsoft replacement is rarely even close to as good and usually contains more bugs for a longer duration.
A salient example is Netscape vs. I.E (yes, sorry; it’s a 20-year-old argument now, but it’s the pattern that’s relevant here). Once Navigator died, I.E. stagnated until tiny little Firefox garnered enough traction and forced MS to actually give a rat’s behind whether consumers liked their product or not–because they were losing.
Without healthy competition, the biggest loser …is us.
Bryan
My OS discretely updates itself (and applications) as required
I think you mean discreetly.
Paul Ducklin
Both words work :-) (Discrete in the sense of not requiring you to update an entire firmware blob just to end up with one changed file.)
Bryan
I stand erected.
DuffMan
You can use one of those USB killer sticks that discharges a cap into the usb port to make that Denial of service more permanent (also works on a locked computer). In my opinion, the only reason to patch would be in case this crash will in the future be something more than just a crash.
Dave
Interesting. What about popping into your local officeworks to print your photos….insert USB and bang, bluescreen. Physical access to the actual machine may not actually be possible, because it’s encased in the ‘arcade box’ you get an onscreen keyboard…..but USB access.
What OS do airlines run for their in-flight entertainment? Crashing the entire system from one seat would be annoying.
Edge cases for sure, but not *all* physical access means to the actual motherboard.
John Leslie
Who has Auto-Play enabled these days? Very dangerous. Plus if the only effect is a crash I can do that by toggling the power switch. However should be fixed in some general update as it’s an actual bug.
Paul Ducklin
I didn’t research this story myself, so I am speculating here – but Autoplay (meaning react in some way when the drive is inserted) is not the same as Autorun (meaning react by running a program straight off the drive without asking). It’s Autorun that’s long dead.
Anyway, as the researcher said, it’s not so much Autorun as any attempt to access a file on the device. Autorun requires the OS to access the device, thus hastening the trigger of the bug, but lots of processes might decide to read from the device for you, including Windows Defender.
James
Why did Windows start requiring specific hardware in order to crash?