Hot on the heels of last week’s Windows 10 corrupt hard drive bug comes another flaw that crashes a PC if you try to open a specific link in some web browsers. And yes, this crash will yield that feared blue screen of death (BSOD).
Both flaws were discovered by researcher Jonas Lykkegaard and detailed in his Twitter feed. This new bug doesn’t open a web page, he said, but instead directs the browser to try to browse the PC’s internal file system — a feature common to most web browsers.
But because the link is supposed to include an extra element, and the system doesn’t seem to properly check for errors (perhaps because the command is coming from a web browser), Windows 10 gets confused, trips over itself and pops up a BSOD.
Use at your own risk
Because this flaw doesn’t seem to cause any lasting harm, it’s probably safe to share the filepath: “\\.\globalroot\device\condrv\kernelconnect”.
Play with this at your own risk. If you type it into the address bar of a browser, your computer will likely bluescreen and then do the usual file checking. Our computer didn’t restart automatically after that, so we had to power-cycle manually to make all well.
[Update: Our test PC restarted normally a few times, but is now stuck in an Automatic Repair boot loop. So, on second thought, you really shouldn’t try this.]
Microsoft told Bleeping Computer that it “has a customer commitment to investigate reported security issues and we will provide updates for impacted devices as soon as possible.”
Lykkegaard told Bleeping Computer that Windows 10 views the filepath as a command and expects the user to also type “attach” at the end. But if the user doesn’t add anything, then Windows bluescreens.
He also said that any user, not just those with administrative privileges, can make this happen. Tom’s Guide confirmed that was true.
This flaw can be exploited. Lykkegaard found that specially crafted files downloaded from the internet could cause PCs to crash when the files were opened, and Bleeping Computer said it had found a way to make the PC crash upon startup.
Pranksters could also embed the filepath in harmless-looking links on web pages, emails, instant messages or social media. But none of these methods would be likely to cause permanent damage. [Or maybe it would — see above.]