The Proof of Concept code for this exploit (which ended up getting leaked) shows how a simple IFrame, with an abnormally large height attribute, causes a page fault in the kernel and triggers a BSOD (Blue Screen of Death). The flaw has been tracked to an issue with the win32k.sys file (which is only in the 64-bit version of the OS).
Microsoft has acknowledged the issue and is working to track down and fix the exact problem. Looking in from the outside it appears that at least some of the code in Safari is running in Kernel mode and not Usermode. This could be (and this is a guess based on the symptoms of the crash) due to the QuickTime plug-in that Safari uses and its HDCP feature. If Safari is elevating permissions or attempting to run this through the browser in Kernel Mode this could be where the exploit lies.
For now the only way to avoid this is to not use Safari, or to wait on Microsoft (or Apple) to come out with a fix for the flaw in the Win32k.sys file.
Discuss in our Forum
Wednesday, 21 December 2011 07:05
Malformed IFrame Exploit Found In Windows 7 x64 When using Safari
Written by Sean KalinichReading time is around minutes.
A new Zero-Day flaw has been found in Microsoft’s Windows 7 OS, but it only applies to a very limited set of circumstances. In this case the system in question needs to be running the 64-bit version of the OS and have Apple’s Safari Browser installed. This combination is probably fairly common as Apple pushes Safari at you with any download of iTunes or QuickTime.
Latest from Sean Kalinich
- ConnectWise Slash and Grab Flaw Once Again Shows the Value of Input Validation We talk to Huntress About its Impact
- Social Manipulation as a Service – When the Bots on Twitter get their Check marks
- To Release or not to Release a PoC or OST That is the Question
- There was an Important Lesson Learned in the LockBit Takedown and it was Not About Threat Groups
- NetSPI’s Offensive Security Offering Leverages Subject Matter Experts to Enhance Pen Testing
Leave a comment
Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.