$MFT is Windows NTFS’s Master File System Table. This special file track all files on the volume, their logical location in folder, their physical locations on the hard, and file metadatas.
But when Windows is tricked into trying to open it as an ordinary files with the function
NtfsFindStartingNodes, the function can’t find them. Windows sets search for it again starting with the root file-systems, according to the researcher.
This time, around the
NtfsOpenSubdirectory functions open the file as a directory, but, on the next iterations of the loop, Windows detects that the files is not the the directory, and thus interrupts the job with errors.
Windows will then try to close access down to the file with.
NtfsTeardownStructures This fails because to close the files, it had to open the file systems when mounting. Windows will then lock up while looping over and over again in the loop.
Essentially this means if you try to use $MFT as part of directory names — for example,
C:$MFTfoo — the system crashes. The net effect is access to freeze $MFT “captured forever” in the loop and the computer is locked up until it’s rebooted.
he most common way to exploit this bug is get users to use a web browser to open a web page, which includes fatal filenames within it. For example, a web address calling for image files named
C:$MFTBummer. would start the crashes.
The Chrome web browser, however, will block such an attack because it won’t load images with a malformed directory path.
Unfortunately, Internet Explorer and Firefox will allow PCs to try to load such files in the host PC and will suffer for it.
There are two bits of good news here. The first is that Windows 10 is immune to this attacks. The second — and this is a mixed blessing — is can only it crash system.