New Remote Flaw In 64-Bit Windows 7

Trailrunner7 writes "Researchers are warning about a new remotely exploitable vulnerability in 64-bit Windows 7 that can be used by an attacker to run arbitrary code on a vulnerable machine. The bug was first reported a couple of days ago by an independent researcher and confirmed by Secunia. In a message on Twitter, a researcher named w3bd3vil said that he had found a method for exploiting the vulnerability by simply feeding an iframe with an overly large height to Safari. The exploit gives the attacker the ability to run arbitrary code on the victim's machine."

Re:Headline.. Flaw in APPLE Safari for windows fou

[Baloroth]

The flaw seems to be in a call to a Windows API.

It is possible to trigger a memory error in the system file win32k.sys by accessing a crafted HTML file in Safari....According to webDEViL, the source of the vulnerability is the function NtGdiDrawStream.

So it is possible other programs could be affected. It is also possible that Safari itself handles the function in a broken manner. Note that Firefox appears to also have crashes related to that function (on x86 Windows, though, it's like the second Google result for that function). So, really impossible to say at this point. Also, they could only cause Windows to crash, not to run arbitrary code or anything. So far anyways.

Re:So all 5 of you running Safari on Windows

[tgd]

64-bit windows requires no-execute on data pages (DEP), so there's no route you can cause data corruption and end up with executable code unless you have code running in the kernel to change the flags on the pages in memory.

If this is a theoretical exploit, the authors of it may not be that familiar with 64-bit Windows 7, or are running on a developer machine they explicitly disabled DEP.

Windows Classic not affected?

[Fred+Or+Alive]

After a bit bit of playing "let's intentionally crash Windows", it seems that using the Windows Classic skin fixes the bug, and the page renders fine (if a little uninteresting, it's basically a long page with a box on it). It BSODs on Windows Basic and Aero. I haven't a clue if this is a real fix, or if it's just that the magic number needed to crash the system is different with Windows Classic compared with Basic / Aero. Windows XP (32 bit) is fine as well (again page renders fine, no crashes of anything).

I personally think it's largely a Windows bug, even if Safari has a bug (that oddly only does anything on one version of Windows, and even then only with certain conditions), a programme doing something stupid should not crash the entire OS.