UPDATE: Microsoft has fixed this flaw in a system update See end of article
Following last week's hard drive corruption bug in Windows 10, another flaw has occurred that causes PCs to crash when attempting to open certain links in some web browsers And this crash brings the feared blue screen of death (BSOD)
Both flaws were discovered by researcher Jonas Lykkegaard and are detailed in his Twitter feed According to him, the new bug does not open a web page, but instead directs the browser to try to browse the PC's internal file system, a feature common to most web browsers
However, since the link should contain extra elements and the system does not seem to properly check for errors (perhaps because the command comes from the web browser), Windows 10 gets confused, stumbles, and pops up a BSOD
Bleeping Computer has tried this on several systems using the Google Chrome browser and found it works on Windows 10 version 1709 or later Tom's Guide uses the same foundation as Chrome, Brave web browser, which uses the same infrastructure as Chrome, and also found that it works with older versions of the unrelated Firefox browser
Since the flaw does not appear to cause any permanent harm, it is probably safe to share the file path: "˶ ˶ ˶ ˶ ˶ ˶ ˶ ˶ ˶ ˶ ˶
Play with this at your own risk If you type this into the address bar of your browser, your computer will blue screen and do the usual file checks Our computer did not automatically restart after that, so we had to manually turn it off and make everything normal
[Update Our test PC rebooted successfully a few times, but now it is stuck in an automatic repair boot loop So, on second thought, we should not try this"]
[Update #2: The auto-repair bootloop appears to have been caused by an entirely different problem]
Microsoft told Bleeping Computer that "we have promised our customers that we will investigate any reported security issues and will provide updates to affected devices as soon as possible"
Lykkegaard told Bleeping Computer that Windows 10 considers the file path to be a command and also expects the user to type "attach" at the end However, if the user does not add anything, Windows will blue screen
He also said that any user can cause this to happen, not just users with administrative privileges; Tom's Guide has confirmed that to be the case [The flaw is exploitable; Lykkegaard discovered that a specially crafted file downloaded from the Internet can cause a PC to crash when the file is opened, and Bleeping Computer stated that it had discovered
Pranksters can also embed file paths in seemingly innocuous links on web pages, emails, instant messages, and social media However, none of these are likely to cause permanent damage
Microsoft patched the flaw on February 9 as part of its regular monthly software update Instructions on how to ensure that this patch is installed are as follows
Comments