Look out: This browser link will crash your Windows 10 PC

An old-fashioned Blue Screen of Death on a widescreen monitor while a user slams his palm onto his forehead.
Not the actual Windows 10 Blue Screen of Death. (Image credit: Andrey_Popov/Shutterstock)

UPDATE: Microsoft has patched this flaw with a system update. See end of story.

Hot on the heels of last week's Windows 10 corrupt hard drive bug comes another flaw that crashes a PC if you try to open a specific link in some web browsers. And yes, this crash will yield that feared blue screen of death (BSOD).

Both flaws were discovered by researcher Jonas Lykkegaard and detailed in his Twitter feed. This new bug doesn't open a web page, he said, but instead directs the browser to try to browse the PC's internal file system -- a feature common to most web browsers.

But because the link is supposed to include an extra element, and the system doesn't seem to properly check for errors (perhaps because the command is coming from a web browser), Windows 10 gets confused, trips over itself and pops up a BSOD. 

Bleeping Computer tried it on several systems using the Google Chrome browser and found that it works on Windows 10 version 1709 and later. Tom's Guide found that it also works in the Brave web browser, which uses the same underpinnings as Chrome, and in an older version of the unrelated Firefox browser.

Use at your own risk

Because this flaw doesn't seem to cause any lasting harm, it's probably safe to share the filepath: "\\.\globalroot\device\condrv\kernelconnect". 

Play with this at your own risk. If you type it into the address bar of a browser, your computer will likely bluescreen and then do the usual file checking. Our computer didn't restart automatically after that, so we had to power-cycle manually to make all well.

[Update: Our test PC restarted normally a few times, but is now stuck in an Automatic Repair boot loop. So, on second thought, you really shouldn't try this.]

[Update part 2: It now looks like the Automatic Repair boot loop may have been caused by a completely different issue.]

Microsoft told Bleeping Computer that it "has a customer commitment to investigate reported security issues and we will provide updates for impacted devices as soon as possible."

Lykkegaard told Bleeping Computer that Windows 10 views the filepath as a command and expects the user to also type "attach" at the end. But if the user doesn't add anything, then Windows bluescreens.

He also said that any user, not just those with administrative privileges, can make this happen. Tom's Guide confirmed that was true.

This flaw can be exploited. Lykkegaard found that specially crafted files downloaded from the internet could cause PCs to crash when the files were opened, and Bleeping Computer said it had found a way to make the PC crash upon startup. 

Pranksters could also embed the filepath in harmless-looking links on web pages, emails, instant messages or social media. But none of these methods would be likely to cause permanent damage. [Or maybe it would -- see above.]

Update: Flaw patched

On Feb. 9, Microsoft patched this flaw as part of its regularly monthly software updates. Here's how to make sure you install this patch.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.