Security researchers develop unofficial patch for drive-corrupting Windows 10 NTFS bug
A couple of week ago, we reported about a critical NTFS vulnerability that left hard drives open to corruption in Windows 10. Security researcher Jonas Lykkegaard revealed that opening a folder with a specially crafted name could wipe out the contents of a drive in an instant.
Microsoft is yet to produce a fix for the problem, but that doesn't mean no one else has. Third party patch-makers such as 0patch have already made names for themselves stepping in to produce updates either for unsupported versions of Windows, or simply beating Microsoft to the punch. Now it is the turn of developers from OSR who have released an unofficial workaround patch for the NTFS flaw.
- Serious Windows 10 flaw could corrupt your hard drive if you open a folder
- Microsoft is bringing a great new look to Settings in Windows Terminal
- Microsoft reveals workaround to fix Conexant ISST audio driver problems in Windows 10
When problems crop up in Windows 10, users generally have to wait a while for Microsoft to develop a patch to fix things. This not only means that there can be quite a delay, but even when an official update arrives, it is certainly not unknown for a patch to introduce additional problems. This is one of the reasons 0patch's lightweight releases have proved so popular, and OSR -- a firm that focuses on Windows internals and system software -- has now stepped up to the plate to offer a "filter driver" called i30Flt to address the NTFS issue.
The company explains its release on GitHub:
@jonasLyk reported a REALLY interesting corruption error reported by NTFS:
Triggering the notification only requires that you visit a particular path on an NTFS volume.
Our research indicates that the "file corrupt" error bubbles up from a network query open, so it's sufficient to just call GetFileAttributes to see the behavior. We think the bug is in all the changes around case sensitivity...There's a memory compare of "$i30" with "$I30" before the descent into chaos. Also if you use "$I30" in the offending command you don't get the problem.
The directory is not really corrupt at this point and the volume is not immediately corrupted by this change. The result is ugly though and we have anecdotal evidence of a system here at OSR failing to boot after multiple attemps to chkdsk, so we though we'd mitigate the problem while we wait for the real fix to arrive.
This filter blocks any attempts to open a stream that begins with ":$i30:". This blocks more than just the intended path (e.g. ":$i30:$index_allocation") but we believe the mpact of this to be minimal.
The workaround patch is available for both 32- and 64-bit versions of Windows 10, and can be downloaded here. You will also find full source code for the patch, so you can scrutinize how it works.