Forgot your password?
typodupeerror
Microsoft Safari Security IT

New Remote Flaw In 64-Bit Windows 7 284

Posted by samzenpus
from the hole-in-the-wall dept.
Trailrunner7 writes "Researchers are warning about a new remotely exploitable vulnerability in 64-bit Windows 7 that can be used by an attacker to run arbitrary code on a vulnerable machine. The bug was first reported a couple of days ago by an independent researcher and confirmed by Secunia. In a message on Twitter, a researcher named w3bd3vil said that he had found a method for exploiting the vulnerability by simply feeding an iframe with an overly large height to Safari. The exploit gives the attacker the ability to run arbitrary code on the victim's machine."
This discussion has been archived. No new comments can be posted.

New Remote Flaw In 64-Bit Windows 7

Comments Filter:
  • by mrflash818 (226638) on Wednesday December 21, 2011 @03:29PM (#38452608) Homepage Journal

    20 December 2011, 13:21
    Highly critical zero day vulnerability in Windows discovered

    http://www.h-online.com/security/news/item/Highly-critical-zero-day-vulnerability-in-Windows-discovered-1398625.html [h-online.com]

  • TFA suggests it allows kernel privileges, so it is certainly a Windows exploit. But it may also be a Safari bug too, it depends whether or not the data it is passing to the Windows API calls that are causing the exploit would be considered reasonable or not.
  • by kvvbassboy (2010962) on Wednesday December 21, 2011 @03:34PM (#38452678)

    Quote from Secunia advisory:

    A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large "height" attribute viewed using the Apple Safari browser. Successful exploitation may allow execution of arbitrary code with kernel-mode privileges

    Safari is apparently the only currently known browser where this attack could be vectored from.

  • Addendum: <iframe height='18082563'></iframe> causes a BSoD by the Windows kernel so it is certainly a Windows bug. It would be trivial of Apple to hotfix it to prevent exploitation via Safari but any other application could theoretically exploit it and elevate their code. Of course it doesn't appear anyone else has actually gotten it to execute arbitrary code yet, despite the summary claim...

  • by Anonymous Coward on Wednesday December 21, 2011 @03:38PM (#38452744)

    FTFA:

    "A vulnerability has been discovered in MicrosWindows 7oft Windows, which can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large "height" attribute viewed using the Apple Safari browser. Successful exploitation may allow execution of arbitrary code with kernel-mode privileges," the Secunia advisory said.

    So it's a windows bug, and the first way to access it that's been found is through safari.

  • by OverlordQ (264228) on Wednesday December 21, 2011 @03:39PM (#38452752) Journal

    The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large "height" attribute viewed using the Apple Safari browser.

    No matter what Safari does, it shouldn't cause a crash in win32k.sys, so I'd go with Windows error via Safari error since there's probably other vectors that can also cause a crash in the same place.

  • by tgd (2822) on Wednesday December 21, 2011 @03:48PM (#38452878)

    Addendum: <iframe height='18082563'></iframe> causes a BSoD by the Windows kernel so it is certainly a Windows bug. It would be trivial of Apple to hotfix it to prevent exploitation via Safari but any other application could theoretically exploit it and elevate their code. Of course it doesn't appear anyone else has actually gotten it to execute arbitrary code yet, despite the summary claim...

    And likely won't -- Win7 64-bit requires DEP, so you can't corrupt a data page and end up executing code unless there's a defect in the CPU *or* you have code in the kernel to change the page type. And if you have code already in the kernel, you don't really need an exploit.

    Its also not clear from the article if its corrupting kernel memory, or corrupting user memory. The driver crashing doesn't necessarily imply data in kernel space was corrupted, it just means the driver crashed for some reason.

  • by icebike (68054) * on Wednesday December 21, 2011 @03:51PM (#38452900)

    Safari is the only attack vector. This by definition is not a remote flaw as it requires you to do something to exploit a web browser, thus it is a 'local exploit'.

    The web page can be remote, and can presumably gain control. You, the user, need do nothing but click a link, and might possibly be unaware that anything had happened.

    Letting someone talk you into installing Safari also constitutes a Social Engineering exploit. So you might be right after all.

  • by Moryath (553296) on Wednesday December 21, 2011 @03:52PM (#38452920)

    Sounds like it is an exploit of an issue with a windows component, but it is currently only known to be exploitable through Safari.

    If it's something only exploitable through Safari, then it's probably a Safari bug! Let's take a look at the original security advisory:

    The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large "height" attribute viewed using the Apple Safari browser.

    So, they blame win32k.sys - but apparently the actual bug is that you can cause something resembling a buffer overflow by feeding Safari a ridiculously large bit of data as an iFrame.

    Could go either way. Given that no other browser is currently deemed vulnerable, it sounds more like a Safari bug to me - just like the various PDF exploits were much more an Adobe than Microsoft responsibility.

  • by GIL_Dude (850471) on Wednesday December 21, 2011 @03:54PM (#38452954) Homepage
    It would be more correct to say the vulnerability (flaw) is in the windows kernel and the only currently known exploit is through the safari browser. There are decent odds that some other vector will be found through which to exploit this. But for now it looks like the exploit through safari uses a lack of correct input sanitization (in safari) in order to exploit the Windows kernel vulnerability. It would probably be possible to craft an exe to do privilege elevation using this kernel flaw by passing similar bad parameters to the kernel - but of course local elevation of privilege is much less of a threat than a true drive by like this exploit through safari.
  • by vux984 (928602) on Wednesday December 21, 2011 @03:56PM (#38452972)

    This is Microsoft buggy code causing issue, Safari problem is merely one way to cause rooting of machine, other softwares using this service will undoubtedly provide more cases.

    a) Yes, this is a bug in Windows. No question. Windows isn't validating the input, and should just reject it or throw an exeption or whatever. Crashing is not acceptable and represents a bug in windows.

    b) This is also a bug in safari. Safari is not validating its input either. Its just blindly passing a request to create an 18million pixel tall iframe down to the Windows API somewhere...

    c) Yes, other softwares will likely be found. But so far only safari is known to be in the unique position of using that API, passing it arbitrary remote content while failing to validate its input.

    A bit of malicious code that explicitly does use that API actually has to get onto the local system first. Local exploits are much less serious than remote ones.

    So yes, this is a windows bug. But it is also a safari bug. Both should be fixed.

  • by pclminion (145572) on Wednesday December 21, 2011 @04:03PM (#38453052)
    Modern exploit techniques provide multiple ways around DEP. Obviously DEP is something that should always be used if the hardware supports it (and the lack of support in older processors can in some sense be considered a design flaw) but it's no panacea against exploits. For example see return-to-libc attacks and the return-oriented programming techniques which generalize it. Even then, those techniques are based on stack smashing attacks, which are not the only kind of attack possible.
  • by Anonymous Coward on Wednesday December 21, 2011 @04:12PM (#38453158)

    DEP is regularly beaten. The key is called "return oriented programming" (http://en.wikipedia.org/wiki/Return-oriented_programming), essentially oldschool "return to libc" on speed. It's a lot of painful work, but that's what it takes these days.

  • by hairyfeet (841228) <.bassbeast1968. .at. .gmail.com.> on Wednesday December 21, 2011 @04:21PM (#38453250) Journal

    Well I'd be worried about Firefox as well, because the malware guys have figured out how to get around their XSS by using a hidden iFrame, which is why if you have any porn watching friends or relatives that use Yahoo Mail + FF you may have been getting spam from them lately. Don't know if it works on FF 9 and since I'm officially on vacation until the middle of next week I'm not gonna be loading a spare box with it and surfing porn vid sites to find out as I got a ton of games and a 6 core and intend to enjoy them! Just to be safe though be sure anybody you know with FF upgrades to the latest.

    Since we are on security allow me to say why I wouldn't consider either Safari OR Firefox a suitable browser for Widows 7: Lack of low rights mode. I bet the reason you aren't seeing this on IE nor on the Chromium based (Chrome, Chromium, Dragon, SWIron) is that they support the browser running in low rights mode and that is in fact their default behavior. Now considering that low rights mode has been around for nearly 5 years now there really is no excuse for a modern browser not to support it, especially when as we all know running with least permissions is just good security practice.

    So I would say if you are on Safari or Firefox or any other browser other than the Chromium based above look to see if your browser is running in low rights mode. If it is not switch browsers and be sure to drop the developers a line and tell them WHY you are switching away from their browser. It seems like doing the switch for the right reasons (increasing the user's security) will never happen so maybe if enough folks tell them "we won't use your browser because" then they will get off their asses and support this common sense feature.

  • by anonymov (1768712) on Wednesday December 21, 2011 @05:07PM (#38453856)

    For now it's unclear how bad is this, as the only concrete detail is Secunia's link to "original advisory" [twitter.com]

    From digging around bug submitter's twitter [twitter.com]:

    @igursev @therealsaumil not really an integer overflow. Otherwise 18082564 would have also worked ;-)
    4 hours ago

    w3bd3vil webDEViL @
    @igursev It probably is, but not theoretically. In simpler terms, I can't build an exploit for it.
    12 hours ago

    @kernelpool yeah I tried with some help to get code execution but was beyond me...
    19 Dec

    @r3dsm0k3 Yeah. It's the NtGdiDrawStream which is being called multiple times...leading to a not so interesting crash.
    18 Dec

    <iframe height='18082563'></iframe> causes a BSoD on win 7 x64 via Safari. Lol!
    18 Dec

    So a) there's a bug in win32k.sys, tickled by Safari's (allegedly) incorrect API usage, so there's possibility of other exploits, b) "may lead to arbitrary code execution" means "we don't know yet, but we're playing safe", the only confirmed effect is BSoD by memory corruption.

    Why the fuck there's so little about it, did nobody research yet what kind of memory corruption it actually does? The tweet's from 4 days ago, FFS.

  • by AC-x (735297) on Wednesday December 21, 2011 @06:31PM (#38454680)

    There are 2 exploits here, one is in Safari which allows someone to at least crash the machine, the other is in win32k.sys which allows a user space program to take over the kernel (privilege escalation bug)

    The win32k.sys bug is far more serious as it would give any program even run under a limited user account complete access to the system

  • It's been audited, multiple times. The problem is that it's both truly immense (hundreds of public entry points, to say nothing of its internal functions) and a mishmash of code dating back to the early days of NT (NT 4 at least, maybe the 3.x versions too) up through new code for Win8. I have no idea how many source files compile into it. I got a (legit and very nearly complete) copy of the Win2K source for a university project, and even in that version (now 4 releases old), Win32k.sys was a terrifying thing to behold.

    I once heard a Microsoft employee talking about the Stuxnet malware. He joked that it goet in through "this vulnerability called Win32k.sys - I mean, this vulnerability *in* win32k.sys..." They're quite aware of its problems. However, even when a bug is found, it's extremely difficult to fix it safely (I'm told that the average number of regressions during fixing a bug they find is greater than two, and each of those may cause more regressions when you try to fix them).

What the world *really* needs is a good Automatic Bicycle Sharpener.

Working...