New Remote Flaw In 64-Bit Windows 7

← Back to Stories (view on slashdot.org)

New Remote Flaw In 64-Bit Windows 7

Posted by samzenpus on Wednesday December 21, 2011 @08:26AM from the hole-in-the-wall dept.

Trailrunner7 writes "Researchers are warning about a new remotely exploitable vulnerability in 64-bit Windows 7 that can be used by an attacker to run arbitrary code on a vulnerable machine. The bug was first reported a couple of days ago by an independent researcher and confirmed by Secunia. In a message on Twitter, a researcher named w3bd3vil said that he had found a method for exploiting the vulnerability by simply feeding an iframe with an overly large height to Safari. The exploit gives the attacker the ability to run arbitrary code on the victim's machine."

25 of 284 comments (clear)

So all 5 of you running Safari on Windows by elrous0 · 2011-12-21 08:27 · Score: 5, Funny

Watch out!

--
SJW: Someone who has run out of real oppression, and has to fake it.
1. Re:So all 5 of you running Safari on Windows by lgw · 2011-12-21 08:29 · Score: 4, Insightful
  
  So, wait, is this a Win7 exploit or a Safari exploit?
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
2. Re:So all 5 of you running Safari on Windows by SirBitBucket · 2011-12-21 08:31 · Score: 5, Insightful
  
  Sounds like it is an exploit of an issue with a windows component, but it is currently only known to be exploitable through Safari. Kind of like you could hotwire a car (windows) if you happen to have replaced your windows with Saran wrap (Safari), and can get right through them.
3. Re:So all 5 of you running Safari on Windows by jedidiah · 2011-12-21 08:31 · Score: 4, Insightful
  
  It shouldn't matter.
  The OS simply should not melt because Apple can't code it's way out of a wet paper bag.
  A real OS should simply not fall apart just because the users or programmers are idiots or malicious.
  
  --
  A Pirate and a Puritan look the same on a balance sheet.
4. Re:So all 5 of you running Safari on Windows by kvvbassboy · 2011-12-21 08:34 · Score: 5, Informative
  
  Quote from Secunia advisory:
  
  A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large "height" attribute viewed using the Apple Safari browser. Successful exploitation may allow execution of arbitrary code with kernel-mode privileges
  Safari is apparently the only currently known browser where this attack could be vectored from.
5. Re:So all 5 of you running Safari on Windows by MikeyO · 2011-12-21 08:34 · Score: 5, Insightful
  
  Perhaps both, definitely a bug in win7. If something the unprivileged safari process does crashes the kernel, we know there must be a bug in win7.
6. Re:So all 5 of you running Safari on Windows by OverlordQ · 2011-12-21 08:39 · Score: 5, Informative
  
  The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large "height" attribute viewed using the Apple Safari browser.
  No matter what Safari does, it shouldn't cause a crash in win32k.sys, so I'd go with Windows error via Safari error since there's probably other vectors that can also cause a crash in the same place.
  
  --
  Your hair look like poop, Bob! - Wanker.
7. Re:So all 5 of you running Safari on Windows by tgd · 2011-12-21 08:41 · Score: 4, Interesting
  
  64-bit windows requires no-execute on data pages (DEP), so there's no route you can cause data corruption and end up with executable code unless you have code running in the kernel to change the flags on the pages in memory.
  If this is a theoretical exploit, the authors of it may not be that familiar with 64-bit Windows 7, or are running on a developer machine they explicitly disabled DEP.
8. Re:So all 5 of you running Safari on Windows by GIL_Dude · 2011-12-21 08:54 · Score: 5, Informative
  
  It would be more correct to say the vulnerability (flaw) is in the windows kernel and the only currently known exploit is through the safari browser. There are decent odds that some other vector will be found through which to exploit this. But for now it looks like the exploit through safari uses a lack of correct input sanitization (in safari) in order to exploit the Windows kernel vulnerability. It would probably be possible to craft an exe to do privilege elevation using this kernel flaw by passing similar bad parameters to the kernel - but of course local elevation of privilege is much less of a threat than a true drive by like this exploit through safari.
9. Re:So all 5 of you running Safari on Windows by pclminion · 2011-12-21 09:03 · Score: 5, Informative
  
  Modern exploit techniques provide multiple ways around DEP. Obviously DEP is something that should always be used if the hardware supports it (and the lack of support in older processors can in some sense be considered a design flaw) but it's no panacea against exploits. For example see return-to-libc attacks and the return-oriented programming techniques which generalize it. Even then, those techniques are based on stack smashing attacks, which are not the only kind of attack possible.
10. Re:So all 5 of you running Safari on Windows by Guy+Harris · 2011-12-21 09:08 · Score: 5, Insightful
  
  The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large "height" attribute viewed using the Apple Safari browser.
  So, they blame win32k.sys - but apparently the actual bug is that you can cause something resembling a buffer overflow by feeding Safari a ridiculously large bit of data as an iFrame.
  Could go either way.
  Should go both ways.
  Apple should fix the Safari bug so it doesn't mishandle IFRAMEs with "overly large" "height" attributes.
  Microsoft should fix the in-kernel graphics code so you can't use it to break into the system.
11. Re:So all 5 of you running Safari on Windows by Anonymous Coward · 2011-12-21 09:12 · Score: 5, Informative
  
  DEP is regularly beaten. The key is called "return oriented programming" (http://en.wikipedia.org/wiki/Return-oriented_programming), essentially oldschool "return to libc" on speed. It's a lot of painful work, but that's what it takes these days.
12. Re:So all 5 of you running Safari on Windows by Merk42 · 2011-12-21 09:13 · Score: 4, Funny
  
  That's a relief, I'm not running MicrosWindows 7oft Windows
13. Re:So all 5 of you running Safari on Windows by hairyfeet · 2011-12-21 09:21 · Score: 4, Informative
  
  Well I'd be worried about Firefox as well, because the malware guys have figured out how to get around their XSS by using a hidden iFrame, which is why if you have any porn watching friends or relatives that use Yahoo Mail + FF you may have been getting spam from them lately. Don't know if it works on FF 9 and since I'm officially on vacation until the middle of next week I'm not gonna be loading a spare box with it and surfing porn vid sites to find out as I got a ton of games and a 6 core and intend to enjoy them! Just to be safe though be sure anybody you know with FF upgrades to the latest.
  Since we are on security allow me to say why I wouldn't consider either Safari OR Firefox a suitable browser for Widows 7: Lack of low rights mode. I bet the reason you aren't seeing this on IE nor on the Chromium based (Chrome, Chromium, Dragon, SWIron) is that they support the browser running in low rights mode and that is in fact their default behavior. Now considering that low rights mode has been around for nearly 5 years now there really is no excuse for a modern browser not to support it, especially when as we all know running with least permissions is just good security practice.
  So I would say if you are on Safari or Firefox or any other browser other than the Chromium based above look to see if your browser is running in low rights mode. If it is not switch browsers and be sure to drop the developers a line and tell them WHY you are switching away from their browser. It seems like doing the switch for the right reasons (increasing the user's security) will never happen so maybe if enough folks tell them "we won't use your browser because" then they will get off their asses and support this common sense feature.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
Headline.. Flaw in APPLE Safari for windows found by SirBitBucket · 2011-12-21 08:28 · Score: 4, Insightful

So far you must use Safari under Win7 64bit to exploit this. But we would never want to say anything bad about Apple, only about Microsoft...
H-online also has the story. by mrflash818 · 2011-12-21 08:29 · Score: 4, Informative

20 December 2011, 13:21
Highly critical zero day vulnerability in Windows discovered
http://www.h-online.com/security/news/item/Highly-critical-zero-day-vulnerability-in-Windows-discovered-1398625.html

--
Uh, Linux geek since 1999.
Wait... by SJHillman · 2011-12-21 08:31 · Score: 4, Funny

Safari runs on Windows? Any time I've tried running Apple software (iTunes, Safari, Quicktime) on Windows, it just takes forever to load, wants to spend all day updating, chews up my memory and craps on my processor. If someone is running Safari on Windows intentionally then they might be masochistic enough to welcome this 'feature'
Re:Headline.. Flaw in APPLE Safari for windows fou by The+MAZZTer · 2011-12-21 08:32 · Score: 4, Informative

TFA suggests it allows kernel privileges, so it is certainly a Windows exploit. But it may also be a Safari bug too, it depends whether or not the data it is passing to the Windows API calls that are causing the exploit would be considered reasonable or not.
I don't think I'd call this remote by sqlrob · 2011-12-21 08:35 · Score: 4, Insightful

Remote to me means "it's connected, you're vulnerable". This requires the user to take an action, getting some local data. From the description, you could have the same files on the file system and it would work.
Bad? Yeah. But not "plug it in, computer is pwned" bad.
Re:Headline.. Flaw in APPLE Safari for windows fou by Baloroth · 2011-12-21 08:35 · Score: 5, Interesting

The flaw seems to be in a call to a Windows API.

It is possible to trigger a memory error in the system file win32k.sys by accessing a crafted HTML file in Safari....According to webDEViL, the source of the vulnerability is the function NtGdiDrawStream.

So it is possible other programs could be affected. It is also possible that Safari itself handles the function in a broken manner. Note that Firefox appears to also have crashes related to that function (on x86 Windows, though, it's like the second Google result for that function). So, really impossible to say at this point. Also, they could only cause Windows to crash, not to run arbitrary code or anything. So far anyways.

--
"None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
Re:Headline.. Flaw in APPLE Safari for windows fou by The+MAZZTer · 2011-12-21 08:37 · Score: 5, Informative

Addendum: <iframe height='18082563'></iframe> causes a BSoD by the Windows kernel so it is certainly a Windows bug. It would be trivial of Apple to hotfix it to prevent exploitation via Safari but any other application could theoretically exploit it and elevate their code. Of course it doesn't appear anyone else has actually gotten it to execute arbitrary code yet, despite the summary claim...
Re:Silly by ledow · 2011-12-21 09:02 · Score: 4, Insightful

Missing the point. Point is that userland code (and the example uses Safari but what should it matter *what* program activates it - it shouldn't be possible and can probably be easily activated by any sort of direct code) creates a BSOD in Windows.
That shouldn't happen - that's the whole point of an OS.
Obviously this proves that... by forkfail · 2011-12-21 09:04 · Score: 5, Funny

(check one)
[ ] Microsoft products are far less secure than Apple. Because everyone knows that Safari is completely safe always on Apple machines, and only fails on Windows.
[ ] Apple products are far less secure than Microsoft. Because obviously the hole in Microsoft security here is introduced through an Apple product, and really doesn't occur otherwise.
[ ] If people were just running Linux, they wouldn't be having these problems.
[ ] This is gonna be good. Ima gettin' my popcorn now!

--
Check your premises.
Windows Classic not affected? by Fred+Or+Alive · 2011-12-21 09:46 · Score: 5, Interesting

After a bit bit of playing "let's intentionally crash Windows", it seems that using the Windows Classic skin fixes the bug, and the page renders fine (if a little uninteresting, it's basically a long page with a box on it). It BSODs on Windows Basic and Aero. I haven't a clue if this is a real fix, or if it's just that the magic number needed to crash the system is different with Windows Classic compared with Basic / Aero. Windows XP (32 bit) is fine as well (again page renders fine, no crashes of anything).
I personally think it's largely a Windows bug, even if Safari has a bug (that oddly only does anything on one version of Windows, and even then only with certain conditions), a programme doing something stupid should not crash the entire OS.

--
10 PRINT "LOOK AROUND YOU "; 20 GOTO 10
Annoying lack of details by anonymov · 2011-12-21 10:07 · Score: 4, Informative

For now it's unclear how bad is this, as the only concrete detail is Secunia's link to "original advisory"
From digging around bug submitter's twitter:

@igursev @therealsaumil not really an integer overflow. Otherwise 18082564 would have also worked ;-)
4 hours ago
w3bd3vil webDEViL @
@igursev It probably is, but not theoretically. In simpler terms, I can't build an exploit for it.
12 hours ago
@kernelpool yeah I tried with some help to get code execution but was beyond me...
19 Dec
@r3dsm0k3 Yeah. It's the NtGdiDrawStream which is being called multiple times...leading to a not so interesting crash.
18 Dec
<iframe height='18082563'></iframe> causes a BSoD on win 7 x64 via Safari. Lol!
18 Dec
So a) there's a bug in win32k.sys, tickled by Safari's (allegedly) incorrect API usage, so there's possibility of other exploits, b) "may lead to arbitrary code execution" means "we don't know yet, but we're playing safe", the only confirmed effect is BSoD by memory corruption.
Why the fuck there's so little about it, did nobody research yet what kind of memory corruption it actually does? The tweet's from 4 days ago, FFS.