Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Remote Flaw In 64-Bit Windows 7

Posted by samzenpus on from the hole-in-the-wall dept.

Trailrunner7 writes "Researchers are warning about a new remotely exploitable vulnerability in 64-bit Windows 7 that can be used by an attacker to run arbitrary code on a vulnerable machine. The bug was first reported a couple of days ago by an independent researcher and confirmed by Secunia. In a message on Twitter, a researcher named w3bd3vil said that he had found a method for exploiting the vulnerability by simply feeding an iframe with an overly large height to Safari. The exploit gives the attacker the ability to run arbitrary code on the victim's machine."

10 of 284 comments (clear)

  1. H-online also has the story. by mrflash818 · · Score: 4, Informative

    20 December 2011, 13:21
    Highly critical zero day vulnerability in Windows discovered

    http://www.h-online.com/security/news/item/Highly-critical-zero-day-vulnerability-in-Windows-discovered-1398625.html

    --
    Uh, Linux geek since 1999.
  2. Re:Headline.. Flaw in APPLE Safari for windows fou by The+MAZZTer · · Score: 4, Informative

    TFA suggests it allows kernel privileges, so it is certainly a Windows exploit. But it may also be a Safari bug too, it depends whether or not the data it is passing to the Windows API calls that are causing the exploit would be considered reasonable or not.

  3. Re:So all 5 of you running Safari on Windows by kvvbassboy · · Score: 5, Informative

    Quote from Secunia advisory:

    A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large "height" attribute viewed using the Apple Safari browser. Successful exploitation may allow execution of arbitrary code with kernel-mode privileges

    Safari is apparently the only currently known browser where this attack could be vectored from.

  4. Re:Headline.. Flaw in APPLE Safari for windows fou by The+MAZZTer · · Score: 5, Informative

    Addendum: <iframe height='18082563'></iframe> causes a BSoD by the Windows kernel so it is certainly a Windows bug. It would be trivial of Apple to hotfix it to prevent exploitation via Safari but any other application could theoretically exploit it and elevate their code. Of course it doesn't appear anyone else has actually gotten it to execute arbitrary code yet, despite the summary claim...

  5. Re:So all 5 of you running Safari on Windows by OverlordQ · · Score: 5, Informative

    The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large "height" attribute viewed using the Apple Safari browser.

    No matter what Safari does, it shouldn't cause a crash in win32k.sys, so I'd go with Windows error via Safari error since there's probably other vectors that can also cause a crash in the same place.

    --
    Your hair look like poop, Bob! - Wanker.
  6. Re:So all 5 of you running Safari on Windows by GIL_Dude · · Score: 5, Informative

    It would be more correct to say the vulnerability (flaw) is in the windows kernel and the only currently known exploit is through the safari browser. There are decent odds that some other vector will be found through which to exploit this. But for now it looks like the exploit through safari uses a lack of correct input sanitization (in safari) in order to exploit the Windows kernel vulnerability. It would probably be possible to craft an exe to do privilege elevation using this kernel flaw by passing similar bad parameters to the kernel - but of course local elevation of privilege is much less of a threat than a true drive by like this exploit through safari.

  7. Re:So all 5 of you running Safari on Windows by pclminion · · Score: 5, Informative

    Modern exploit techniques provide multiple ways around DEP. Obviously DEP is something that should always be used if the hardware supports it (and the lack of support in older processors can in some sense be considered a design flaw) but it's no panacea against exploits. For example see return-to-libc attacks and the return-oriented programming techniques which generalize it. Even then, those techniques are based on stack smashing attacks, which are not the only kind of attack possible.

  8. Re:So all 5 of you running Safari on Windows by Anonymous Coward · · Score: 5, Informative

    DEP is regularly beaten. The key is called "return oriented programming" (http://en.wikipedia.org/wiki/Return-oriented_programming), essentially oldschool "return to libc" on speed. It's a lot of painful work, but that's what it takes these days.

  9. Re:So all 5 of you running Safari on Windows by hairyfeet · · Score: 4, Informative

    Well I'd be worried about Firefox as well, because the malware guys have figured out how to get around their XSS by using a hidden iFrame, which is why if you have any porn watching friends or relatives that use Yahoo Mail + FF you may have been getting spam from them lately. Don't know if it works on FF 9 and since I'm officially on vacation until the middle of next week I'm not gonna be loading a spare box with it and surfing porn vid sites to find out as I got a ton of games and a 6 core and intend to enjoy them! Just to be safe though be sure anybody you know with FF upgrades to the latest.

    Since we are on security allow me to say why I wouldn't consider either Safari OR Firefox a suitable browser for Widows 7: Lack of low rights mode. I bet the reason you aren't seeing this on IE nor on the Chromium based (Chrome, Chromium, Dragon, SWIron) is that they support the browser running in low rights mode and that is in fact their default behavior. Now considering that low rights mode has been around for nearly 5 years now there really is no excuse for a modern browser not to support it, especially when as we all know running with least permissions is just good security practice.

    So I would say if you are on Safari or Firefox or any other browser other than the Chromium based above look to see if your browser is running in low rights mode. If it is not switch browsers and be sure to drop the developers a line and tell them WHY you are switching away from their browser. It seems like doing the switch for the right reasons (increasing the user's security) will never happen so maybe if enough folks tell them "we won't use your browser because" then they will get off their asses and support this common sense feature.

    --
    ACs don't waste your time replying, your posts are never seen by me.
  10. Annoying lack of details by anonymov · · Score: 4, Informative

    For now it's unclear how bad is this, as the only concrete detail is Secunia's link to "original advisory"

    From digging around bug submitter's twitter:

    @igursev @therealsaumil not really an integer overflow. Otherwise 18082564 would have also worked ;-)
    4 hours ago

    w3bd3vil webDEViL @
    @igursev It probably is, but not theoretically. In simpler terms, I can't build an exploit for it.
    12 hours ago

    @kernelpool yeah I tried with some help to get code execution but was beyond me...
    19 Dec

    @r3dsm0k3 Yeah. It's the NtGdiDrawStream which is being called multiple times...leading to a not so interesting crash.
    18 Dec

    <iframe height='18082563'></iframe> causes a BSoD on win 7 x64 via Safari. Lol!
    18 Dec

    So a) there's a bug in win32k.sys, tickled by Safari's (allegedly) incorrect API usage, so there's possibility of other exploits, b) "may lead to arbitrary code execution" means "we don't know yet, but we're playing safe", the only confirmed effect is BSoD by memory corruption.

    Why the fuck there's so little about it, did nobody research yet what kind of memory corruption it actually does? The tweet's from 4 days ago, FFS.