Microsoft has finally fixed a vulnerability in Windows 10 that could potentially enable threat actors to crash the operating system simply by opening a specially crafted folder.
According to reports, Microsoft initially patched the bug in Windows Insider builds in February, before pushing it to all Windows 10 users last week with the latest round of Patch Tuesday updates.
Tracked as CVE-2021-28312, the vulnerability has reportedly been classified as a distributed denial of services (DDoS) flaw.
We’re looking at how our readers use VPN for a forthcoming in-depth report. We’d love to hear your thoughts in the survey below. It won’t take more than 60 seconds of your time.
Security researcher Jonas Lykkegård first discovered the zero-day bug in Windows 10 all the way back in August 2020. It is said to allow users and programs, even those with low privileges, to mark an NTFS disk drive as corrupt just by accessing the special folder.
Easy to trigger
Lykkegård told BleepingComputer that the flaw became exploitable probably with Windows 10 build 1803, released in April 2018.
Worryingly, the bug was relatively easy to trigger. Before the migitation, simply changing into the specially crafted folder, either via the command prompt, from the file manager, or via any other means would cause Windows 10 to mark the drive as dirty. The user would then be prompted to reboot their computer and run chkdsk, which would in turn fail to mark it as clean and prevent the device from booting up.
Unsurprisingly, several malicious apps quickly began circulating on Discord and other social media that exploited the vulnerability to render Windows 10 installations useless.
However, BleepingComputer has confirmed the bug has been successfully mitigated with the latest update.