Hackers Will Love Windows' New Blue Screen of Death

Ever since Windows 3.1, PC owners have known that the Blue Screen of Death means something has gone horribly wrong.

Windows 8 took the iconic screen one step further by adding a frowny-face emoticon, but the latest preview build of Windows 10 may make the screen more dangerous to the user than a mere system crash. The addition of a QR code to the BSOD could let cybercriminals and scammers lure hapless users into installing malware or falling for tech-support scams.

Tech-news site The Register described the risks inherent in the new update, which is present in Windows 10 Insider Preview build 14316. In theory, the idea is sound: If a computer crashes, you can't use that computer to find out why.

So the new BSOD displays a QR code, which, when viewed by a smartphone's camera and interpreted by a QR-reading app, takes users to a Windows support page. There, they can hopefully learn some answers while the PC reboots.

MORE: Best Antivirus Software and Apps

The trouble with this well-intentioned plan is that it's ridiculously easy to spoof the BSOD and its QR code, with possibly malicious results. Imagine how easy it would be to trick inexperienced users with a simple website popup that looked like the BSOD (especially if the popup could overlay the Windows taskbar, which is not terribly difficult).

A QR code leading to a malicious link, possibly one executing JavaScript, would be trivial to create, especially since no one can tell where a QR code leads before it's scanned. Even if your computer wasn't really broken, your phone might be after you link to the site. Or the phone could be directed to call a tech-support-scam toll-free number, or infected with malware designed to migrate across a home Wi-Fi network to other devices.

This isn't necessarily a threat for careless newbies, either. Ransomware could actually lock up your computer screen and display a BSOD image. Attach a phony QR code, and your smartphone would be susceptible to whatever malware a cybercriminal could dream up.

Since the BSOD QR code functionality is still in an insider build, Microsoft could choose to pull it before it goes public. The company could also alter it to make it safer, although there doesn't seem to be any foolproof way to make an authentic QR code look different from a fake one.

It's bad enough when a BSOD lets you know that your computer is busted. Let's not extend the misery.