Malformed IFrame Exploit Found In Windows 7 x64 When using Safari

84A new Zero-Day flaw has been found in Microsoft’s Windows 7 OS, but it only applies to a very limited set of circumstances. In this case the system in question needs to be running the 64-bit version of the OS and have Apple’s Safari Browser installed. This combination is probably fairly common as Apple pushes Safari at you with any download of iTunes or QuickTime.

The Proof of Concept code for this exploit (which ended up getting leaked) shows how a simple IFrame, with an abnormally large height attribute, causes a page fault in the kernel and triggers a BSOD (Blue Screen of Death). The flaw has been tracked to an issue with the win32k.sys file (which is only in the 64-bit version of the OS).

Microsoft has acknowledged the issue and is working to track down and fix the exact problem. Looking in from the outside it appears that at least some of the code in Safari is running in Kernel mode and not Usermode. This could be (and this is a guess based on the symptoms of the crash) due to the QuickTime plug-in that Safari uses and its HDCP feature. If Safari is elevating permissions or attempting to run this through the browser in Kernel Mode this could be where the exploit lies.

For now the only way to avoid this is to not use Safari, or to wait on Microsoft (or Apple) to come out with a fix for the flaw in the Win32k.sys file.

Discuss in our Forum

No comments

Leave your comment

In reply to Some User