Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Remote Flaw In 64-Bit Windows 7

Posted by samzenpus on from the hole-in-the-wall dept.

Trailrunner7 writes "Researchers are warning about a new remotely exploitable vulnerability in 64-bit Windows 7 that can be used by an attacker to run arbitrary code on a vulnerable machine. The bug was first reported a couple of days ago by an independent researcher and confirmed by Secunia. In a message on Twitter, a researcher named w3bd3vil said that he had found a method for exploiting the vulnerability by simply feeding an iframe with an overly large height to Safari. The exploit gives the attacker the ability to run arbitrary code on the victim's machine."

13 of 284 comments (clear)

  1. So all 5 of you running Safari on Windows by elrous0 · · Score: 5, Funny

    Watch out!

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
    1. Re:So all 5 of you running Safari on Windows by SirBitBucket · · Score: 5, Insightful

      Sounds like it is an exploit of an issue with a windows component, but it is currently only known to be exploitable through Safari. Kind of like you could hotwire a car (windows) if you happen to have replaced your windows with Saran wrap (Safari), and can get right through them.

    2. Re:So all 5 of you running Safari on Windows by kvvbassboy · · Score: 5, Informative

      Quote from Secunia advisory:

      A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large "height" attribute viewed using the Apple Safari browser. Successful exploitation may allow execution of arbitrary code with kernel-mode privileges

      Safari is apparently the only currently known browser where this attack could be vectored from.

    3. Re:So all 5 of you running Safari on Windows by MikeyO · · Score: 5, Insightful

      Perhaps both, definitely a bug in win7. If something the unprivileged safari process does crashes the kernel, we know there must be a bug in win7.

    4. Re:So all 5 of you running Safari on Windows by OverlordQ · · Score: 5, Informative

      The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large "height" attribute viewed using the Apple Safari browser.

      No matter what Safari does, it shouldn't cause a crash in win32k.sys, so I'd go with Windows error via Safari error since there's probably other vectors that can also cause a crash in the same place.

      --
      Your hair look like poop, Bob! - Wanker.
    5. Re:So all 5 of you running Safari on Windows by GIL_Dude · · Score: 5, Informative

      It would be more correct to say the vulnerability (flaw) is in the windows kernel and the only currently known exploit is through the safari browser. There are decent odds that some other vector will be found through which to exploit this. But for now it looks like the exploit through safari uses a lack of correct input sanitization (in safari) in order to exploit the Windows kernel vulnerability. It would probably be possible to craft an exe to do privilege elevation using this kernel flaw by passing similar bad parameters to the kernel - but of course local elevation of privilege is much less of a threat than a true drive by like this exploit through safari.

    6. Re:So all 5 of you running Safari on Windows by pclminion · · Score: 5, Informative

      Modern exploit techniques provide multiple ways around DEP. Obviously DEP is something that should always be used if the hardware supports it (and the lack of support in older processors can in some sense be considered a design flaw) but it's no panacea against exploits. For example see return-to-libc attacks and the return-oriented programming techniques which generalize it. Even then, those techniques are based on stack smashing attacks, which are not the only kind of attack possible.

    7. Re:So all 5 of you running Safari on Windows by Guy+Harris · · Score: 5, Insightful

      The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large "height" attribute viewed using the Apple Safari browser.

      So, they blame win32k.sys - but apparently the actual bug is that you can cause something resembling a buffer overflow by feeding Safari a ridiculously large bit of data as an iFrame.

      Could go either way.

      Should go both ways.

      Apple should fix the Safari bug so it doesn't mishandle IFRAMEs with "overly large" "height" attributes.

      Microsoft should fix the in-kernel graphics code so you can't use it to break into the system.

    8. Re:So all 5 of you running Safari on Windows by Anonymous Coward · · Score: 5, Informative

      DEP is regularly beaten. The key is called "return oriented programming" (http://en.wikipedia.org/wiki/Return-oriented_programming), essentially oldschool "return to libc" on speed. It's a lot of painful work, but that's what it takes these days.

  2. Re:Headline.. Flaw in APPLE Safari for windows fou by Baloroth · · Score: 5, Interesting

    The flaw seems to be in a call to a Windows API.

    It is possible to trigger a memory error in the system file win32k.sys by accessing a crafted HTML file in Safari....According to webDEViL, the source of the vulnerability is the function NtGdiDrawStream.

    So it is possible other programs could be affected. It is also possible that Safari itself handles the function in a broken manner. Note that Firefox appears to also have crashes related to that function (on x86 Windows, though, it's like the second Google result for that function). So, really impossible to say at this point. Also, they could only cause Windows to crash, not to run arbitrary code or anything. So far anyways.

    --
    "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
  3. Re:Headline.. Flaw in APPLE Safari for windows fou by The+MAZZTer · · Score: 5, Informative

    Addendum: <iframe height='18082563'></iframe> causes a BSoD by the Windows kernel so it is certainly a Windows bug. It would be trivial of Apple to hotfix it to prevent exploitation via Safari but any other application could theoretically exploit it and elevate their code. Of course it doesn't appear anyone else has actually gotten it to execute arbitrary code yet, despite the summary claim...

  4. Obviously this proves that... by forkfail · · Score: 5, Funny

    (check one)

    [ ] Microsoft products are far less secure than Apple. Because everyone knows that Safari is completely safe always on Apple machines, and only fails on Windows.

    [ ] Apple products are far less secure than Microsoft. Because obviously the hole in Microsoft security here is introduced through an Apple product, and really doesn't occur otherwise.

    [ ] If people were just running Linux, they wouldn't be having these problems.

    [ ] This is gonna be good. Ima gettin' my popcorn now!

    --
    Check your premises.
  5. Windows Classic not affected? by Fred+Or+Alive · · Score: 5, Interesting

    After a bit bit of playing "let's intentionally crash Windows", it seems that using the Windows Classic skin fixes the bug, and the page renders fine (if a little uninteresting, it's basically a long page with a box on it). It BSODs on Windows Basic and Aero. I haven't a clue if this is a real fix, or if it's just that the magic number needed to crash the system is different with Windows Classic compared with Basic / Aero. Windows XP (32 bit) is fine as well (again page renders fine, no crashes of anything).

    I personally think it's largely a Windows bug, even if Safari has a bug (that oddly only does anything on one version of Windows, and even then only with certain conditions), a programme doing something stupid should not crash the entire OS.

    --
    10 PRINT "LOOK AROUND YOU ";
    20 GOTO 10