14 DAY TRIAL // A bug causing Windows machines to crash when a USB drive is inserted won’t get a patch from Microsoft, despite the issue said to be affecting all versions of the operating system, including the newly-launched April 2018 Update.
Security researcher Marius Tivadar says in a post on GitHub that he first reported the problem to Microsoft in July 2017 after discovering that a USB drive running a handcrafted NTFS image can cause any system to crash even if locked.
“Microsoft was very responsive regarding my disclosure 1 year ago, but they didn’t issue a security patch,” Tivadar explains.
While the bug can only generate a BSOD on the target host, the security researcher describes it as a denial of service.
“Inserting a memory stick when a computer is in a locked state triggers the execution of a lot of OS code, such as mounting file systems. This could be dangerous if the file system is handcrafted and aimed at exploiting the OS. This behavior should be changed for any operating system,” he says.
No fix (just yet)
Microsoft, however, won’t issue a security fix for this bug, explaining in a private conversation with Tivadar that because the report requires “either physical access or social engineering” it can’t receive a CVE and get a patch.
The bug exists in all Windows versions, and the security researcher has managed to reproduce it in Windows XP, Windows 7 Enterprise, and various releases of Windows 10, including the April 2018 Update.
“Fortunately, this bug can generate a BSOD and nothing more. It cannot be weaponized. Still, in some scenarios, a blue-screen-of-death could be unacceptable,” the researcher explains.
Microsoft hasn’t offered a public statement on this bug, and it’s still not known whether a fix is on its way or not. We have reached out to the company for more information and will update the article when and if an answer is offered.