New Remote Flaw In 64-Bit Windows 7 284
Trailrunner7 writes "Researchers are warning about a new remotely exploitable vulnerability in 64-bit Windows 7 that can be used by an attacker to run arbitrary code on a vulnerable machine. The bug was first reported a couple of days ago by an independent researcher and confirmed by Secunia. In a message on Twitter, a researcher named w3bd3vil said that he had found a method for exploiting the vulnerability by simply feeding an iframe with an overly large height to Safari. The exploit gives the attacker the ability to run arbitrary code on the victim's machine."
Re:So all 5 of you running Safari on Windows (Score:2, Interesting)
An iframe is interpreted by the safari browser which has trust obviously (it's an .exe), so it's a safari vulnerability, article is mislabeled, or author never took sec 101.
Also 5 users is very generous, I have yet to see one, and I've seen my share. Most web developers make their salt without ever having to test on this browser for example.
Re:Headline.. Flaw in APPLE Safari for windows fou (Score:5, Interesting)
The flaw seems to be in a call to a Windows API.
It is possible to trigger a memory error in the system file win32k.sys by accessing a crafted HTML file in Safari....According to webDEViL, the source of the vulnerability is the function NtGdiDrawStream.
So it is possible other programs could be affected. It is also possible that Safari itself handles the function in a broken manner. Note that Firefox appears to also have crashes related to that function (on x86 Windows, though, it's like the second Google result for that function). So, really impossible to say at this point. Also, they could only cause Windows to crash, not to run arbitrary code or anything. So far anyways.
Re:So all 5 of you running Safari on Windows (Score:3, Interesting)
Re:So all 5 of you running Safari on Windows (Score:5, Interesting)
64-bit windows requires no-execute on data pages (DEP), so there's no route you can cause data corruption and end up with executable code unless you have code running in the kernel to change the flags on the pages in memory.
If this is a theoretical exploit, the authors of it may not be that familiar with 64-bit Windows 7, or are running on a developer machine they explicitly disabled DEP.
Re:Headline.. Flaw in APPLE Safari for windows fou (Score:4, Interesting)
The only confirmed anything I've seen is someone can BSOD the computer. Which while a bug, not Remote Code Execute, just Denial of Service attack.
Since this problem only exists in Safari, either Chrome/IE/Firefox are sanitizing those inputs to prevent that from reaching Windows kernel.
Furthermore, since this x64 bug only, my guess is this issue was patched in 32 but for some reason, WOW64 isn't seeing it or catching it.
Re:So all 5 of you running Safari on Windows (Score:2, Interesting)
Well, there may be some Safari bug that allows an oversize iframe to be insterpreted as a script and interpreted, giving the place where the code can run, followed by some unrelated local priviledge escalation bug in Win7 for it to take advantage of.
Heck, security advisories come in "tweets" now? We're supposed to guess the problem from the first 140 characters of explanation, I suppose.
Really? (Score:1, Interesting)
Re:Does anyone read anymore? (Score:3, Interesting)
So yes, this is a windows bug. But it is also a safari bug. Both should be fixed.
So how does Safari know whether Windows can support an 18 million pixel high window without requesting one? If it's a valid value for the request, then an application should be able to assume that the OS will either fulfil the request or return an error, not execute arbitrary code.
Windows Classic not affected? (Score:5, Interesting)
After a bit bit of playing "let's intentionally crash Windows", it seems that using the Windows Classic skin fixes the bug, and the page renders fine (if a little uninteresting, it's basically a long page with a box on it). It BSODs on Windows Basic and Aero. I haven't a clue if this is a real fix, or if it's just that the magic number needed to crash the system is different with Windows Classic compared with Basic / Aero. Windows XP (32 bit) is fine as well (again page renders fine, no crashes of anything).
I personally think it's largely a Windows bug, even if Safari has a bug (that oddly only does anything on one version of Windows, and even then only with certain conditions), a programme doing something stupid should not crash the entire OS.
Re:So all 5 of you running Safari on Windows (Score:4, Interesting)
Microsoft should fix the in-kernel graphics code so you can't use it to break into the system.
As a game developer, I need graphics code to be low level, fast, and insecure. There are times I just need it to be a rocketship without handrails.
If there is a way to secure it without sacrificing speed, that's great! But doing a great deal of error checking on that level? Leave me some insecure route to blitting billions of bits to the screen without guardrails please.