Windows security vulnerabilities and bugs aren’t new but most of the ones that we hear of involve downloading malicious software, often unknowingly, from dubious websites. In the past few days, however, at least one bug was reported that could corrupt your hard drive just by viewing a file’s icon or typing a simple command. Now another slightly similar problem has been disclosed, one that could produce the dreaded Blue Screen of Death or BSOD, just by visiting a link or location on your own computer.
Many parts of the Windows operating system are naturally arcane, sometimes even to most advanced programmers. Last week’s drive-corrupting bug, for example, exploited a very specific sequence of characters that has a special meaning for Microsoft’s NTFS file system. The exact cause of the bug, much less protection against it, is still unknown at this point.
As if that weren’t enough, Bleeping Computer reports a new bug that may wreak just as much damage, depending on the circumstance. It simply involves a URL or link to an internal Windows location and it doesn’t even have to be clicked on to trigger. As long as Windows tries to process the link, like when it is entered in the address bar of a browser, it will still cause the system to crash into a BSOD.
The report says that it could potentially be exploited remotely by tricking users into downloading a Windows URL file. The OS will try to generate an icon from that data, causing the system to crash. In some cases, it could even be exploited to cause an immediate BSOD upon logging into Windows.
The end result for users can vary from a simple one-time integrity check at boot to getting stuck at an automatic repair loop. Both bugs required users to unwittingly type out strange commands or URLs or clicking on suspicious-looking links or icons, both of which are a big no-no in the first place. Microsoft says it’s investigating matters but has yet to publish any resolution.