<p>A security researcher Jonas L has discovered an NTFS vulnerability that impacts Windows 8/8.1 and many Windows 10 versions.</p>
<p>Unfortunately, this is a long-existing flaw that has not been fixed yet and it became exploitable starting with Windows 10 v1803 and continues to v20H2 which is the latest major Windows 10 release.</p>
<p><img class="alignnone size-full wp-image-4065" src="https://www.wincert.net/wp-content/uploads/2021/01/code-1689066_640.jpg" alt="" width="640" height="426" /></p>
<p>Apparently, even the unsupported Windows XP operating system is affected by this bug, but Windows 7 is not.</p>
<p>This vulnerability that corrupts the NTFS file system can be exploited with a single command, shortcut in a ZIP archive, or even by a malformed HTML file.</p>
<p>A simple command that is executed with a privileged account or in an elevated CMD window corrupts an NTFS hard drive will result in a system restart prompting the user to repair the corrupted disk records.</p>
<p><span style="color: #ff0000;">Please do not run this command on your devices that contain important data since you WILL damage the file system and even lose your data. Use this command at your own risk and only on a test system.</span></p>
<p>Here&#8217;s the command line that causes havoc on Windows NTFS volumes:</p>
<p><code>cd c:\:$i30:$bitmap</code></p>
<p>The key issue lies in the <strong>$i30</strong> which is an NTFS Index Attribute that containing a list of files and subfolders from NTFS directories.</p>
<p>Once the above command has been executed you will receive the following Security and Maintenance notification:</p>
<p><strong>Restart to repair drive errors. Click to restart your PC.</strong></p>
<p><img class="alignnone size-full wp-image-4064" src="https://www.wincert.net/wp-content/uploads/2021/01/repair-disk-errors.png" alt="" width="311" height="124" /></p>
<p>Once the PC is rebooted Windows will start the CheckDisk app and will fix the file system.</p>
<p>Apart from running this command in the command prompt, this flaw can also be exploited by creating an Internet shortcut file (.url) with an icon location set to C:\:$i30:$bitmap. Once the system tries to display this icon the system will instantly become corrupted.</p>
<p>Another way is to use this .URL shortcut file in a ZIP archive, ISO, VHD or VHDX files. The corruption will start as soon as the user extracts the ZIP archive or mounts ISO, VHD, VHDX files.</p>
<p>Some users reported that pasting the <strong>&#8216;:$i30&#8217;</strong> string into the browser address also results in a corrupted file system.</p>
<p>Currently, there is no fix for this flaw and until Microsoft releases a fix, please be extremely careful when using .ZIP, ISO, VHD or VHDX files from untrusted sources.</p>