Look out: This browser link will crash your Windows10PC

Look out: This browser link will crash your Windows10PC

UPDATE: Microsoft has fixed this flaw in a system update. See end of article.

Following last week's hard drive corruption bug in Windows 10, another flaw has occurred that causes PCs to crash when attempting to open certain links in some web browsers. And this crash brings the feared blue screen of death (BSOD).

Both flaws were discovered by researcher Jonas Lykkegaard and are detailed in his Twitter feed. According to him, the new bug does not open a web page, but instead directs the browser to try to browse the PC's internal file system, a feature common to most web browsers.

However, since the link should contain extra elements and the system does not seem to properly check for errors (perhaps because the command comes from the web browser), Windows 10 gets confused, stumbles, and pops up a BSOD.

Bleeping Computer has tried this on several systems using the Google Chrome browser and found it works on Windows 10 version 1709 or later. Tom's Guide uses the same foundation as Chrome, Brave web browser, which uses the same infrastructure as Chrome, and also found that it works with older versions of the unrelated Firefox browser.

Since the flaw does not appear to cause any permanent harm, it is probably safe to share the file path: "˶. ˶. ˶. ˶. ˶. ˶. ˶. ˶. ˶. ˶. ˶.

Play with this at your own risk. If you type this into the address bar of your browser, your computer will blue screen and do the usual file checks. Our computer did not automatically restart after that, so we had to manually turn it off and make everything normal.

[Update Our test PC rebooted successfully a few times, but now it is stuck in an automatic repair boot loop. So, on second thought, we should not try this."]

[Update #2: The auto-repair bootloop appears to have been caused by an entirely different problem.]

Microsoft told Bleeping Computer that "we have promised our customers that we will investigate any reported security issues and will provide updates to affected devices as soon as possible."

Lykkegaard told Bleeping Computer that Windows 10 considers the file path to be a command and also expects the user to type "attach" at the end. However, if the user does not add anything, Windows will blue screen.

He also said that any user can cause this to happen, not just users with administrative privileges; Tom's Guide has confirmed that to be the case. [The flaw is exploitable; Lykkegaard discovered that a specially crafted file downloaded from the Internet can cause a PC to crash when the file is opened, and Bleeping Computer stated that it had discovered.

Pranksters can also embed file paths in seemingly innocuous links on web pages, emails, instant messages, and social media. However, none of these are likely to cause permanent damage.

Microsoft patched the flaw on February 9 as part of its regular monthly software update. Instructions on how to ensure that this patch is installed are as follows.

Categories