New Remote Flaw In 64-Bit Windows 7 284
Trailrunner7 writes "Researchers are warning about a new remotely exploitable vulnerability in 64-bit Windows 7 that can be used by an attacker to run arbitrary code on a vulnerable machine. The bug was first reported a couple of days ago by an independent researcher and confirmed by Secunia. In a message on Twitter, a researcher named w3bd3vil said that he had found a method for exploiting the vulnerability by simply feeding an iframe with an overly large height to Safari. The exploit gives the attacker the ability to run arbitrary code on the victim's machine."
H-online also has the story. (Score:5, Informative)
http://www.h-online.com/security/news/item/Highly-critical-zero-day-vulnerability-in-Windows-discovered-1398625.html [h-online.com]
Re:Headline.. Flaw in APPLE Safari for windows fou (Score:5, Informative)
Re:So all 5 of you running Safari on Windows (Score:5, Informative)
Quote from Secunia advisory:
A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large "height" attribute viewed using the Apple Safari browser. Successful exploitation may allow execution of arbitrary code with kernel-mode privileges
Safari is apparently the only currently known browser where this attack could be vectored from.
Re:Headline.. Flaw in APPLE Safari for windows fou (Score:5, Informative)
Addendum: <iframe height='18082563'></iframe> causes a BSoD by the Windows kernel so it is certainly a Windows bug. It would be trivial of Apple to hotfix it to prevent exploitation via Safari but any other application could theoretically exploit it and elevate their code. Of course it doesn't appear anyone else has actually gotten it to execute arbitrary code yet, despite the summary claim...
Re:So all 5 of you running Safari on Windows (Score:2, Informative)
FTFA:
"A vulnerability has been discovered in MicrosWindows 7oft Windows, which can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large "height" attribute viewed using the Apple Safari browser. Successful exploitation may allow execution of arbitrary code with kernel-mode privileges," the Secunia advisory said.
So it's a windows bug, and the first way to access it that's been found is through safari.
Re:So all 5 of you running Safari on Windows (Score:5, Informative)
No matter what Safari does, it shouldn't cause a crash in win32k.sys, so I'd go with Windows error via Safari error since there's probably other vectors that can also cause a crash in the same place.
Re:Headline.. Flaw in APPLE Safari for windows fou (Score:2, Informative)
Addendum: <iframe height='18082563'></iframe> causes a BSoD by the Windows kernel so it is certainly a Windows bug. It would be trivial of Apple to hotfix it to prevent exploitation via Safari but any other application could theoretically exploit it and elevate their code. Of course it doesn't appear anyone else has actually gotten it to execute arbitrary code yet, despite the summary claim...
And likely won't -- Win7 64-bit requires DEP, so you can't corrupt a data page and end up executing code unless there's a defect in the CPU *or* you have code in the kernel to change the page type. And if you have code already in the kernel, you don't really need an exploit.
Its also not clear from the article if its corrupting kernel memory, or corrupting user memory. The driver crashing doesn't necessarily imply data in kernel space was corrupted, it just means the driver crashed for some reason.
Re:misleading headline (Score:4, Informative)
Safari is the only attack vector. This by definition is not a remote flaw as it requires you to do something to exploit a web browser, thus it is a 'local exploit'.
The web page can be remote, and can presumably gain control. You, the user, need do nothing but click a link, and might possibly be unaware that anything had happened.
Letting someone talk you into installing Safari also constitutes a Social Engineering exploit. So you might be right after all.
Re:So all 5 of you running Safari on Windows (Score:3, Informative)
Sounds like it is an exploit of an issue with a windows component, but it is currently only known to be exploitable through Safari.
If it's something only exploitable through Safari, then it's probably a Safari bug! Let's take a look at the original security advisory:
The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large "height" attribute viewed using the Apple Safari browser.
So, they blame win32k.sys - but apparently the actual bug is that you can cause something resembling a buffer overflow by feeding Safari a ridiculously large bit of data as an iFrame.
Could go either way. Given that no other browser is currently deemed vulnerable, it sounds more like a Safari bug to me - just like the various PDF exploits were much more an Adobe than Microsoft responsibility.
Re:So all 5 of you running Safari on Windows (Score:5, Informative)
Re:Does anyone read anymore? (Score:4, Informative)
This is Microsoft buggy code causing issue, Safari problem is merely one way to cause rooting of machine, other softwares using this service will undoubtedly provide more cases.
a) Yes, this is a bug in Windows. No question. Windows isn't validating the input, and should just reject it or throw an exeption or whatever. Crashing is not acceptable and represents a bug in windows.
b) This is also a bug in safari. Safari is not validating its input either. Its just blindly passing a request to create an 18million pixel tall iframe down to the Windows API somewhere...
c) Yes, other softwares will likely be found. But so far only safari is known to be in the unique position of using that API, passing it arbitrary remote content while failing to validate its input.
A bit of malicious code that explicitly does use that API actually has to get onto the local system first. Local exploits are much less serious than remote ones.
So yes, this is a windows bug. But it is also a safari bug. Both should be fixed.
Re:So all 5 of you running Safari on Windows (Score:5, Informative)
Re:So all 5 of you running Safari on Windows (Score:5, Informative)
DEP is regularly beaten. The key is called "return oriented programming" (http://en.wikipedia.org/wiki/Return-oriented_programming), essentially oldschool "return to libc" on speed. It's a lot of painful work, but that's what it takes these days.
Comment removed (Score:5, Informative)
Annoying lack of details (Score:5, Informative)
For now it's unclear how bad is this, as the only concrete detail is Secunia's link to "original advisory" [twitter.com]
From digging around bug submitter's twitter [twitter.com]:
@igursev @therealsaumil not really an integer overflow. Otherwise 18082564 would have also worked ;-)
4 hours ago
w3bd3vil webDEViL @
@igursev It probably is, but not theoretically. In simpler terms, I can't build an exploit for it.
12 hours ago
@kernelpool yeah I tried with some help to get code execution but was beyond me...
19 Dec
@r3dsm0k3 Yeah. It's the NtGdiDrawStream which is being called multiple times...leading to a not so interesting crash.
18 Dec
<iframe height='18082563'></iframe> causes a BSoD on win 7 x64 via Safari. Lol!
18 Dec
So a) there's a bug in win32k.sys, tickled by Safari's (allegedly) incorrect API usage, so there's possibility of other exploits, b) "may lead to arbitrary code execution" means "we don't know yet, but we're playing safe", the only confirmed effect is BSoD by memory corruption.
Why the fuck there's so little about it, did nobody research yet what kind of memory corruption it actually does? The tweet's from 4 days ago, FFS.
Re:So all 5 of you running Safari on Windows (Score:4, Informative)
There are 2 exploits here, one is in Safari which allows someone to at least crash the machine, the other is in win32k.sys which allows a user space program to take over the kernel (privilege escalation bug)
The win32k.sys bug is far more serious as it would give any program even run under a limited user account complete access to the system
Re:So all 5 of you running Safari on Windows (Score:4, Informative)
It's been audited, multiple times. The problem is that it's both truly immense (hundreds of public entry points, to say nothing of its internal functions) and a mishmash of code dating back to the early days of NT (NT 4 at least, maybe the 3.x versions too) up through new code for Win8. I have no idea how many source files compile into it. I got a (legit and very nearly complete) copy of the Win2K source for a university project, and even in that version (now 4 releases old), Win32k.sys was a terrifying thing to behold.
I once heard a Microsoft employee talking about the Stuxnet malware. He joked that it goet in through "this vulnerability called Win32k.sys - I mean, this vulnerability *in* win32k.sys..." They're quite aware of its problems. However, even when a bug is found, it's extremely difficult to fix it safely (I'm told that the average number of regressions during fixing a bug they find is greater than two, and each of those may cause more regressions when you try to fix them).