UPDATED with comment from Microsoft.
Heads up: There seems to be an unpatched flaw in Windows 10 that can corrupt a hard drive with a short, simple, single-line command.
So says Twitter user @jonasLyk (opens in new tab), who claims that the command can instantly trash any drive using Microsoft's preferred NTFS file format, even if the command is invoked by a limited-user Windows account without administrative privileges.
- This simple trick could save your computer
- The best antivirus software to protect your PC
- Plus: Our favorite gadgets from CES 2021
Even worse, the flaw might easily be exploited by malicious hackers and embedded in email attachments, video files or even web pages.
NTFS VULNERABILITY CRITICALITY UNDERESTIMATED-There is a specially nasty vulnerability in NTFS right now.Triggerable by opening special crafted name in any folder anywhere.'The vulnerability will instant pop up complaining about yuor harddrive is corrupted when path is opened pic.twitter.com/E0YqHQ369NJanuary 9, 2021
Just opening the file or page would crash your PC, and it's not clear if the hard drive could always be recovered. It's possible that just viewing a specially formatted icon would also trigger the flaw.
Will Dormann, an information-security expert at the government-funded CERT Coordination Center in Pittsburgh, confirmed the flaw is real.
Nice find by @jonasLyk :cd
Result: NTFS corruptionOther vectors: - Open an ISO, VHD, or VHDX- Extract a ZIP file- Open an HTML file without a MoTW- Probably more... pic.twitter.com/LY18Lo3J3mJanuary 9, 2021
Bleeping Computer (opens in new tab) replicated the flaw and even posted a video of it rendering the C, or main, drive unreadable on a virtual PC. The virtual machine in the video was unable to restore the drive, even after several reboots.
Bleeping Computer said that in some cases the chkdsk (Check Disk) utility was able to repair the drive. But in other cases the disk's master file table (MFT), an index of all the files on a drive, would be corrupted along with the files. You'd likely need third-party software to fix that.
How to avoid this attack
To avoid attacks using this flaw, you could change your PC's hard drives to the FAT32 file format, the same file format used by USB flash drives, SD cards and other kinds of removable storage. Doing so would be a huge pain in the neck, as you'd have to first back up and then essentially rebuild your system.
You could also be safe if you're still running Windows 10 version 1709, released in October 2017, or earlier. The flaw affects all builds of Windows 10 from version 1803 onward, @jonasLyk told Bleeping Computer, which Dormann confirmed.
It's not clear why this specific command borks hard drives. None of the elements of the command are anything special or uncommon, and it'd be familiar to many Windows users who often get into the command-line interface.
The only reason this flaw may not have been discovered before is because the active command might not normally be paired with the specified implementation.
"I have no idea why it corrupts stuff and it would be a lot of work to find out," @jonasLyk told Bleeping Computer. "I'll leave it to the people with the source code," i.e., Microsoft.
We're not going to tell you what the command is because we don't want you trying this at home. But if you have a virtual machine, you can find the command in Bleeping Computer's story. Be careful.
Tom's Guide has requested comment from Microsoft about this issue, and we will update this story when we receive a reply.
Update: Microsoft responds
Following our query, a Microsoft spokesperson provided us with this statement:
"We are aware of this issue and will provide an update in a future release. The use of this technique relies on social engineering and as always we encourage our customers to practice good computing habits online, including exercising caution when opening unknown files, or accepting file transfers. More information on staying safe online is available at https://www.microsoft.com/en-us/digital-skills/online-safety-resources (opens in new tab)."