The Lernaean Hydra in Roman mythology was a frightening beast. It had seven snake heads. If a warrior cut off one of the heads, it simply regrew while the others continued to attack. There was no way to defeat it. These days, Windows bugs have come to resemble the Hydra of ancient mythology. The most recent discovery Friday of a massive problem in Windows is just the most recent head.
Last Friday, the company announced that a bug had been discovered that allowed malicious websites to fully crash machines with extremely small effort. A machine running Windows 7 or 8.1 could be crashed quickly simply by downloading a photo file with a special name. The file name (in this case $MFT) causes the computer to hang up and even can produce the dreaded blue screen of death. Apparently this file name is used by the Windows OS as a name for a hidden metadata file (part of the NTFS system). When a browser encounters a file with that name, the browser would normally simply not load it. However, if the file name has $MFT embedded in it as a directory command, the browser will cause the computer to shut down entirely. The NTFS driver locks the file and then will not release it. The machine starts to slow down and eventually can wind up with a blue screen. The only way out of the problem is a full reboot. The tricky part is that the file can be secretly loaded from a webpage by exploiting the background of the source URL of an image.
This problem with file names is not new for Windows. There have been file name hacking issues with Windows all the way back to the old Windows 95 and 98 operating systems, and this new bug also is reminding users of the Windows 9x filename problems. While Microsoft has been informed of what has been discovered and used by malicious sites, the company is still looking for a solution. A spokesperson for the company was quoted as saying “Our engineers are currently reviewing the information. Microsoft has a customer commitment to investigate reported security issues and provide updates as soon as possible.”
This most recent bug is just another example of the problems that the company has faced this past week. The global scare of the WannaCry ransomware attack has made lots of users nervous about the Windows system security. The ransomware had effectively shut down computers, demanding a payment of around $300. This attack was stopped accidentally by a young coder who found a block. However, the reality that Windows is vulnerable to such attacks makes security a growing concern for companies and individuals who rely on the OS to run their systems.
Just like the Hydra of mythology, the attacks on Windows will continue to regrow like snake heads on a monster. Companies need to be ready with backup systems and strong security controls, and Microsoft will need to continue to address these issues in a timely way.