New Remote Flaw In 64-Bit Windows 7

← Back to Stories (view on slashdot.org)

New Remote Flaw In 64-Bit Windows 7

Posted by samzenpus on Wednesday December 21, 2011 @08:26AM from the hole-in-the-wall dept.

Trailrunner7 writes "Researchers are warning about a new remotely exploitable vulnerability in 64-bit Windows 7 that can be used by an attacker to run arbitrary code on a vulnerable machine. The bug was first reported a couple of days ago by an independent researcher and confirmed by Secunia. In a message on Twitter, a researcher named w3bd3vil said that he had found a method for exploiting the vulnerability by simply feeding an iframe with an overly large height to Safari. The exploit gives the attacker the ability to run arbitrary code on the victim's machine."

39 of 284 comments (clear)

So all 5 of you running Safari on Windows by elrous0 · 2011-12-21 08:27 · Score: 5, Funny

Watch out!

--
SJW: Someone who has run out of real oppression, and has to fake it.
1. Re:So all 5 of you running Safari on Windows by lgw · 2011-12-21 08:29 · Score: 4, Insightful
  
  So, wait, is this a Win7 exploit or a Safari exploit?
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
2. Re:So all 5 of you running Safari on Windows by SirBitBucket · 2011-12-21 08:31 · Score: 5, Insightful
  
  Sounds like it is an exploit of an issue with a windows component, but it is currently only known to be exploitable through Safari. Kind of like you could hotwire a car (windows) if you happen to have replaced your windows with Saran wrap (Safari), and can get right through them.
3. Re:So all 5 of you running Safari on Windows by jedidiah · 2011-12-21 08:31 · Score: 4, Insightful
  
  It shouldn't matter.
  The OS simply should not melt because Apple can't code it's way out of a wet paper bag.
  A real OS should simply not fall apart just because the users or programmers are idiots or malicious.
  
  --
  A Pirate and a Puritan look the same on a balance sheet.
4. Re:So all 5 of you running Safari on Windows by kvvbassboy · 2011-12-21 08:34 · Score: 5, Informative
  
  Quote from Secunia advisory:
  
  A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large "height" attribute viewed using the Apple Safari browser. Successful exploitation may allow execution of arbitrary code with kernel-mode privileges
  Safari is apparently the only currently known browser where this attack could be vectored from.
5. Re:So all 5 of you running Safari on Windows by MikeyO · 2011-12-21 08:34 · Score: 5, Insightful
  
  Perhaps both, definitely a bug in win7. If something the unprivileged safari process does crashes the kernel, we know there must be a bug in win7.
6. Re:So all 5 of you running Safari on Windows by Luckyo · 2011-12-21 08:35 · Score: 3, Insightful
  
  That's going to be one hell of a locked down OS. Will it be able to run anything at all?
7. Re:So all 5 of you running Safari on Windows by hAckz0r · 2011-12-21 08:37 · Score: 3, Interesting
  
  5 people? Unfortunately there are a LOT of people who have to run iTunes for their iPod/iPad/iPhone in order to get updates. Those updates usually try to install Safari along with the rest of the patches. Whether the user ever actually uses Safari is another question all together. I know I have not, but I often get tired of trying to unclick the selection boxes to not have it install every time there are updates. Most people will likely just give up and let Safari install even though it takes more download time. So, I bet its at least 6 people.
8. Re:So all 5 of you running Safari on Windows by Anonymous Coward · 2011-12-21 08:37 · Score: 3, Insightful
  
  Well so much for every operating system ever created.
9. Re:So all 5 of you running Safari on Windows by OverlordQ · 2011-12-21 08:39 · Score: 5, Informative
  
  The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large "height" attribute viewed using the Apple Safari browser.
  No matter what Safari does, it shouldn't cause a crash in win32k.sys, so I'd go with Windows error via Safari error since there's probably other vectors that can also cause a crash in the same place.
  
  --
  Your hair look like poop, Bob! - Wanker.
10. Re:So all 5 of you running Safari on Windows by tgd · 2011-12-21 08:41 · Score: 4, Interesting
  
  64-bit windows requires no-execute on data pages (DEP), so there's no route you can cause data corruption and end up with executable code unless you have code running in the kernel to change the flags on the pages in memory.
  If this is a theoretical exploit, the authors of it may not be that familiar with 64-bit Windows 7, or are running on a developer machine they explicitly disabled DEP.
11. Re:So all 5 of you running Safari on Windows by Moryath · 2011-12-21 08:52 · Score: 3, Informative
  
  Sounds like it is an exploit of an issue with a windows component, but it is currently only known to be exploitable through Safari.
  If it's something only exploitable through Safari, then it's probably a Safari bug! Let's take a look at the original security advisory:
  The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large "height" attribute viewed using the Apple Safari browser.
  So, they blame win32k.sys - but apparently the actual bug is that you can cause something resembling a buffer overflow by feeding Safari a ridiculously large bit of data as an iFrame.
  Could go either way. Given that no other browser is currently deemed vulnerable, it sounds more like a Safari bug to me - just like the various PDF exploits were much more an Adobe than Microsoft responsibility.
12. Re:So all 5 of you running Safari on Windows by GIL_Dude · 2011-12-21 08:54 · Score: 5, Informative
  
  It would be more correct to say the vulnerability (flaw) is in the windows kernel and the only currently known exploit is through the safari browser. There are decent odds that some other vector will be found through which to exploit this. But for now it looks like the exploit through safari uses a lack of correct input sanitization (in safari) in order to exploit the Windows kernel vulnerability. It would probably be possible to craft an exe to do privilege elevation using this kernel flaw by passing similar bad parameters to the kernel - but of course local elevation of privilege is much less of a threat than a true drive by like this exploit through safari.
13. Re:So all 5 of you running Safari on Windows by pclminion · 2011-12-21 09:03 · Score: 5, Informative
  
  Modern exploit techniques provide multiple ways around DEP. Obviously DEP is something that should always be used if the hardware supports it (and the lack of support in older processors can in some sense be considered a design flaw) but it's no panacea against exploits. For example see return-to-libc attacks and the return-oriented programming techniques which generalize it. Even then, those techniques are based on stack smashing attacks, which are not the only kind of attack possible.
14. Re:So all 5 of you running Safari on Windows by Guy+Harris · 2011-12-21 09:08 · Score: 5, Insightful
  
  The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large "height" attribute viewed using the Apple Safari browser.
  So, they blame win32k.sys - but apparently the actual bug is that you can cause something resembling a buffer overflow by feeding Safari a ridiculously large bit of data as an iFrame.
  Could go either way.
  Should go both ways.
  Apple should fix the Safari bug so it doesn't mishandle IFRAMEs with "overly large" "height" attributes.
  Microsoft should fix the in-kernel graphics code so you can't use it to break into the system.
15. Re:So all 5 of you running Safari on Windows by Anonymous Coward · 2011-12-21 09:12 · Score: 5, Informative
  
  DEP is regularly beaten. The key is called "return oriented programming" (http://en.wikipedia.org/wiki/Return-oriented_programming), essentially oldschool "return to libc" on speed. It's a lot of painful work, but that's what it takes these days.
16. Re:So all 5 of you running Safari on Windows by Merk42 · 2011-12-21 09:13 · Score: 4, Funny
  
  That's a relief, I'm not running MicrosWindows 7oft Windows
17. Re:So all 5 of you running Safari on Windows by hairyfeet · 2011-12-21 09:21 · Score: 4, Informative
  
  Well I'd be worried about Firefox as well, because the malware guys have figured out how to get around their XSS by using a hidden iFrame, which is why if you have any porn watching friends or relatives that use Yahoo Mail + FF you may have been getting spam from them lately. Don't know if it works on FF 9 and since I'm officially on vacation until the middle of next week I'm not gonna be loading a spare box with it and surfing porn vid sites to find out as I got a ton of games and a 6 core and intend to enjoy them! Just to be safe though be sure anybody you know with FF upgrades to the latest.
  Since we are on security allow me to say why I wouldn't consider either Safari OR Firefox a suitable browser for Widows 7: Lack of low rights mode. I bet the reason you aren't seeing this on IE nor on the Chromium based (Chrome, Chromium, Dragon, SWIron) is that they support the browser running in low rights mode and that is in fact their default behavior. Now considering that low rights mode has been around for nearly 5 years now there really is no excuse for a modern browser not to support it, especially when as we all know running with least permissions is just good security practice.
  So I would say if you are on Safari or Firefox or any other browser other than the Chromium based above look to see if your browser is running in low rights mode. If it is not switch browsers and be sure to drop the developers a line and tell them WHY you are switching away from their browser. It seems like doing the switch for the right reasons (increasing the user's security) will never happen so maybe if enough folks tell them "we won't use your browser because" then they will get off their asses and support this common sense feature.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
18. Re:So all 5 of you running Safari on Windows by AC-x · 2011-12-21 11:31 · Score: 3, Informative
  
  There are 2 exploits here, one is in Safari which allows someone to at least crash the machine, the other is in win32k.sys which allows a user space program to take over the kernel (privilege escalation bug)
  The win32k.sys bug is far more serious as it would give any program even run under a limited user account complete access to the system
19. Re:So all 5 of you running Safari on Windows by cbhacking · 2011-12-21 12:08 · Score: 3, Informative
  
  It's been audited, multiple times. The problem is that it's both truly immense (hundreds of public entry points, to say nothing of its internal functions) and a mishmash of code dating back to the early days of NT (NT 4 at least, maybe the 3.x versions too) up through new code for Win8. I have no idea how many source files compile into it. I got a (legit and very nearly complete) copy of the Win2K source for a university project, and even in that version (now 4 releases old), Win32k.sys was a terrifying thing to behold.
  I once heard a Microsoft employee talking about the Stuxnet malware. He joked that it goet in through "this vulnerability called Win32k.sys - I mean, this vulnerability *in* win32k.sys..." They're quite aware of its problems. However, even when a bug is found, it's extremely difficult to fix it safely (I'm told that the average number of regressions during fixing a bug they find is greater than two, and each of those may cause more regressions when you try to fix them).
  
  --
  There's no place I could be, since I've found Serenity...
20. Re:So all 5 of you running Safari on Windows by cgenman · 2011-12-21 16:49 · Score: 3, Interesting
  
  Microsoft should fix the in-kernel graphics code so you can't use it to break into the system.
  As a game developer, I need graphics code to be low level, fast, and insecure. There are times I just need it to be a rocketship without handrails.
  If there is a way to secure it without sacrificing speed, that's great! But doing a great deal of error checking on that level? Leave me some insecure route to blitting billions of bits to the screen without guardrails please.
  
  --
  The ______ Agenda
21. Re:So all 5 of you running Safari on Windows by Guy+Harris · 2011-12-21 16:58 · Score: 3, Insightful
  
  Microsoft should fix the in-kernel graphics code so you can't use it to break into the system.
  As a game developer, I need graphics code to be low level, fast, and insecure. There are times I just need it to be a rocketship without handrails.
  If there is a way to secure it without sacrificing speed, that's great! But doing a great deal of error checking on that level? Leave me some insecure route to blitting billions of bits to the screen without guardrails please.
  Sure, as long as 1) only the applications that absolutely positively need this do their graphics through that API and other apps can't even get at that API under any circumstances (so if the app has a bug nobody can inject code to enable it) and 2) applications that do can be marked as "DANGER DANGER WILL ROBINSON IF THIS APP HAS A BUG YOU MIGHT BE SERIOUSLY PWNED". There might be a tradeoff between your requirements and the requirements of security, and the best resolution for that tradeoff might not be in your favor....
Headline.. Flaw in APPLE Safari for windows found by SirBitBucket · 2011-12-21 08:28 · Score: 4, Insightful

So far you must use Safari under Win7 64bit to exploit this. But we would never want to say anything bad about Apple, only about Microsoft...
H-online also has the story. by mrflash818 · 2011-12-21 08:29 · Score: 4, Informative

20 December 2011, 13:21
Highly critical zero day vulnerability in Windows discovered
http://www.h-online.com/security/news/item/Highly-critical-zero-day-vulnerability-in-Windows-discovered-1398625.html

--
Uh, Linux geek since 1999.
Wait... by SJHillman · 2011-12-21 08:31 · Score: 4, Funny

Safari runs on Windows? Any time I've tried running Apple software (iTunes, Safari, Quicktime) on Windows, it just takes forever to load, wants to spend all day updating, chews up my memory and craps on my processor. If someone is running Safari on Windows intentionally then they might be masochistic enough to welcome this 'feature'
It's an Apple exploit. by whatthef*ck · 2011-12-21 08:31 · Score: 3, Insightful

Shouldn't the posting have the Apple graphic instead of Microsoft?
1. Re:It's an Apple exploit. by Mashiki · 2011-12-21 08:52 · Score: 3, Funny
  
  Nah. Easier to bash MS, this is /. after all. Critical thinking skills go out the Windows.
  
  --
  Om, nomnomnom...
Re:Headline.. Flaw in APPLE Safari for windows fou by The+MAZZTer · 2011-12-21 08:32 · Score: 4, Informative

TFA suggests it allows kernel privileges, so it is certainly a Windows exploit. But it may also be a Safari bug too, it depends whether or not the data it is passing to the Windows API calls that are causing the exploit would be considered reasonable or not.
I don't think I'd call this remote by sqlrob · 2011-12-21 08:35 · Score: 4, Insightful

Remote to me means "it's connected, you're vulnerable". This requires the user to take an action, getting some local data. From the description, you could have the same files on the file system and it would work.
Bad? Yeah. But not "plug it in, computer is pwned" bad.
Re:Headline.. Flaw in APPLE Safari for windows fou by Baloroth · 2011-12-21 08:35 · Score: 5, Interesting

The flaw seems to be in a call to a Windows API.

It is possible to trigger a memory error in the system file win32k.sys by accessing a crafted HTML file in Safari....According to webDEViL, the source of the vulnerability is the function NtGdiDrawStream.

So it is possible other programs could be affected. It is also possible that Safari itself handles the function in a broken manner. Note that Firefox appears to also have crashes related to that function (on x86 Windows, though, it's like the second Google result for that function). So, really impossible to say at this point. Also, they could only cause Windows to crash, not to run arbitrary code or anything. So far anyways.

--
"None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
Re:Headline.. Flaw in APPLE Safari for windows fou by The+MAZZTer · 2011-12-21 08:37 · Score: 5, Informative

Addendum: <iframe height='18082563'></iframe> causes a BSoD by the Windows kernel so it is certainly a Windows bug. It would be trivial of Apple to hotfix it to prevent exploitation via Safari but any other application could theoretically exploit it and elevate their code. Of course it doesn't appear anyone else has actually gotten it to execute arbitrary code yet, despite the summary claim...
Re:Headline.. Flaw in APPLE Safari for windows fou by rabbit994 · 2011-12-21 08:46 · Score: 3, Interesting

The only confirmed anything I've seen is someone can BSOD the computer. Which while a bug, not Remote Code Execute, just Denial of Service attack.
Since this problem only exists in Safari, either Chrome/IE/Firefox are sanitizing those inputs to prevent that from reaching Windows kernel.
Furthermore, since this x64 bug only, my guess is this issue was patched in 32 but for some reason, WOW64 isn't seeing it or catching it.
Re:misleading headline by icebike · 2011-12-21 08:51 · Score: 3, Informative

Safari is the only attack vector. This by definition is not a remote flaw as it requires you to do something to exploit a web browser, thus it is a 'local exploit'.
The web page can be remote, and can presumably gain control. You, the user, need do nothing but click a link, and might possibly be unaware that anything had happened.
Letting someone talk you into installing Safari also constitutes a Social Engineering exploit. So you might be right after all.

--
Sig Battery depleted. Reverting to safe mode.
Re:Does anyone read anymore? by vux984 · 2011-12-21 08:56 · Score: 3, Informative

This is Microsoft buggy code causing issue, Safari problem is merely one way to cause rooting of machine, other softwares using this service will undoubtedly provide more cases.
a) Yes, this is a bug in Windows. No question. Windows isn't validating the input, and should just reject it or throw an exeption or whatever. Crashing is not acceptable and represents a bug in windows.
b) This is also a bug in safari. Safari is not validating its input either. Its just blindly passing a request to create an 18million pixel tall iframe down to the Windows API somewhere...
c) Yes, other softwares will likely be found. But so far only safari is known to be in the unique position of using that API, passing it arbitrary remote content while failing to validate its input.
A bit of malicious code that explicitly does use that API actually has to get onto the local system first. Local exploits are much less serious than remote ones.
So yes, this is a windows bug. But it is also a safari bug. Both should be fixed.
Re:Silly by ledow · 2011-12-21 09:02 · Score: 4, Insightful

Missing the point. Point is that userland code (and the example uses Safari but what should it matter *what* program activates it - it shouldn't be possible and can probably be easily activated by any sort of direct code) creates a BSOD in Windows.
That shouldn't happen - that's the whole point of an OS.
Obviously this proves that... by forkfail · 2011-12-21 09:04 · Score: 5, Funny

(check one)
[ ] Microsoft products are far less secure than Apple. Because everyone knows that Safari is completely safe always on Apple machines, and only fails on Windows.
[ ] Apple products are far less secure than Microsoft. Because obviously the hole in Microsoft security here is introduced through an Apple product, and really doesn't occur otherwise.
[ ] If people were just running Linux, they wouldn't be having these problems.
[ ] This is gonna be good. Ima gettin' my popcorn now!

--
Check your premises.
Windows Classic not affected? by Fred+Or+Alive · 2011-12-21 09:46 · Score: 5, Interesting

After a bit bit of playing "let's intentionally crash Windows", it seems that using the Windows Classic skin fixes the bug, and the page renders fine (if a little uninteresting, it's basically a long page with a box on it). It BSODs on Windows Basic and Aero. I haven't a clue if this is a real fix, or if it's just that the magic number needed to crash the system is different with Windows Classic compared with Basic / Aero. Windows XP (32 bit) is fine as well (again page renders fine, no crashes of anything).
I personally think it's largely a Windows bug, even if Safari has a bug (that oddly only does anything on one version of Windows, and even then only with certain conditions), a programme doing something stupid should not crash the entire OS.

--
10 PRINT "LOOK AROUND YOU "; 20 GOTO 10
Re:misleading headline by JDG1980 · 2011-12-21 09:50 · Score: 3, Funny

Letting someone talk you into installing Safari also constitutes a Social Engineering exploit. So you might be right after all.
Apple attempts this "exploit" every time someone installs or updates iTunes for Windows.
Annoying lack of details by anonymov · 2011-12-21 10:07 · Score: 4, Informative

For now it's unclear how bad is this, as the only concrete detail is Secunia's link to "original advisory"
From digging around bug submitter's twitter:

@igursev @therealsaumil not really an integer overflow. Otherwise 18082564 would have also worked ;-)
4 hours ago
w3bd3vil webDEViL @
@igursev It probably is, but not theoretically. In simpler terms, I can't build an exploit for it.
12 hours ago
@kernelpool yeah I tried with some help to get code execution but was beyond me...
19 Dec
@r3dsm0k3 Yeah. It's the NtGdiDrawStream which is being called multiple times...leading to a not so interesting crash.
18 Dec
<iframe height='18082563'></iframe> causes a BSoD on win 7 x64 via Safari. Lol!
18 Dec
So a) there's a bug in win32k.sys, tickled by Safari's (allegedly) incorrect API usage, so there's possibility of other exploits, b) "may lead to arbitrary code execution" means "we don't know yet, but we're playing safe", the only confirmed effect is BSoD by memory corruption.
Why the fuck there's so little about it, did nobody research yet what kind of memory corruption it actually does? The tweet's from 4 days ago, FFS.