Windows Kernel multiple stack and pool memory disclosures into NTFS file system metadata
CVE-2017-11880
We have discovered that the NTFS.sys driver writes uninitialized kernel stack and pool memory into the internal structures of the file system, while mounting and operating on it. This may be of a security concern in cases where, for example, users share some files with each other via USB sticks or other storage media with NTFS-formatted volumes on them. While the victim would assume that they're only sharing intended data explicitly copied to the disk, they could also unknowingly share bits and pieces of sensitive/confidential information stored in the kernel, that just happened to reside in the memory area used by NTFS.sys while constructing internal file system structures.
Even more scary are leaks which don't require any human interaction and take place immediately when the volume is mounted. In this scenario, it could be possible to disclose kernel memory of a locked machine with physical access to a USB port, by repeatedly plugging in a flash drive (or a device which emulates one), waiting for the uninitialized memory to be written by the system, reading it back and re-mounting the disk.
We have implemented some dedicated logic in our Bochspwn system instrumentation to detect instances of such info leaks, only to find out that they do indeed take place in Windows.
____
This is completely fucking insane, how in the world could this happen? Surely it couldn't be by design, either.
Now, I can understand being some retard normalfag and falling for the muh games meme, or office stuff and so on, but what I can't understand is how any foreign government or enterprise could possibly be interested in using Windows with stuff like this coming out regularly. At what point do you ask, "Is it worth running this botnet? Can we trust it?" Is it just that their possible tech pools are so shallow that they literally can't use any other operating systems? It's all so baffling to me.