Researchers Warn of New Windows 7 Vulnerability

Researchers are warning about a new remotely exploitable vulnerability in 64-bit Windows 7 that can be used by an attacker to run arbitrary code on a vulnerable machine. The bug was first reported a couple of days ago by an independent researcher and confirmed by Secunia.

Researchers are warning about a new remotely exploitable vulnerability in 64-bit Windows 7 that can be used by an attacker to run arbitrary code on a vulnerable machine. The bug was first reported a couple of days ago by an independent researcher and confirmed by Secunia.

In a message on Twitter, a researcher named w3bd3vil said that he had found a method for exploiting the vulnerability by simply feeding an iframe with an overly large height to Safari. The exploit gives the attacker the ability to run arbitrary code on the victim’s machine.

“A vulnerability has been discovered in MicrosWindows 7oft Windows, which can be exploited by malicious people to potentially compromise a user’s system. The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large “height” attribute viewed using the Apple Safari browser. Successful exploitation may allow execution of arbitrary code with kernel-mode privileges,” the Secunia advisory said.

Microsoft officials have not confirmed the vulnerability, but said that they’re looking into it.

“We are currently examining the issue and will take appropriate action to help ensure the customers are protected,” Jerry Bryant, group manager of response communications in Microsoft’s Trustworhty Computing Group said.

The only known attack vector for this vulnerability right now is the Safari browser running on Windows 7, which is not the most common combination. Depending upon which metrics one uses, Safari has somewhere in the neighborhood of nine to 11 percent market share. It’s not clear how many of those Safari users are running Windows, but it’s likely that the vast majority of them are running Mac OS X.

However, it’s possible that it may turn out that other browsers could be used as attack vectors for this vulnerability as more information becomes available.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.

Discussion

  • fatbuckel on

    Safari on W7? Why?

  • Anonymous on

    Why? Probably because it's a default optional install with iTunes.

     

  • Anonymous on

    Probably because it comes as an optional install with iTunes (pre-ticked IIRC).

  • Anonymous on

    In that case, "Itunes on W7?  Why?"

  • Anonymous on

    is this really a windows flaw? or a Safari flaw?

  • frogola on

    win32k.sys is a Windows system file, not a Safari file.  So the vulnerability is rooted in Windows, Safari is just the interface.

  • Anonymous on

    Maybe because W8 has not been officially released yet?

  • Anonymous on

    From the last line of the second paragraph: "The exploit gives the attacker the ability to run arbitrary code on the victim's machine."

    From the last line of the third paragraph: "Successful exploitation may allow execution of arbitrary code with kernel-mode privileges,"

    So which is it? DOES it allow abitrary code execution, or MIGHT it? If nobody's done it yet, the first statement (and thus the paragraph, headline and most of the hoopla) is nothing more than fear-mongering bullsh*t...

  • Anonymous on

    I think this means to imply safari is what the hole was discovered through but there might be or are other ways to exploit this problem.  Perhaps safari is the only known instance by the publisher where this bug can be triggered remotely?

  • Anonymous on

    "You can still run code in user-mode, it just isn't as powerful as kernel-mode." Thats bullshit....

  • Anonymous on

    thanks for this info.......
  • Anonymous on

    From what it sounds like, there is a buffer overflow condition which was found with win32k.sys. This would mean not only browsers, but any application using win32k.sys could probably be manipulated to repeat the condition which would likely give a user root access to the system.

    If that is the case, then it stands to reason this would be a Windows issue and not Safari. To an extent that can be argued, but not far beyond if Apple knew this exploit existed, they could conduct a check on the iFrame to prevent the condition. But that would seem counterproductive depending on the length of data in the iFrame.

     

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.