Wednesday, 21 December 2011 07:05

Malformed IFrame Exploit Found In Windows 7 x64 When using Safari

Written by

Reading time is around minutes.

84A new Zero-Day flaw has been found in Microsoft’s Windows 7 OS, but it only applies to a very limited set of circumstances. In this case the system in question needs to be running the 64-bit version of the OS and have Apple’s Safari Browser installed. This combination is probably fairly common as Apple pushes Safari at you with any download of iTunes or QuickTime.

The Proof of Concept code for this exploit (which ended up getting leaked) shows how a simple IFrame, with an abnormally large height attribute, causes a page fault in the kernel and triggers a BSOD (Blue Screen of Death). The flaw has been tracked to an issue with the win32k.sys file (which is only in the 64-bit version of the OS).

Microsoft has acknowledged the issue and is working to track down and fix the exact problem. Looking in from the outside it appears that at least some of the code in Safari is running in Kernel mode and not Usermode. This could be (and this is a guess based on the symptoms of the crash) due to the QuickTime plug-in that Safari uses and its HDCP feature. If Safari is elevating permissions or attempting to run this through the browser in Kernel Mode this could be where the exploit lies.

For now the only way to avoid this is to not use Safari, or to wait on Microsoft (or Apple) to come out with a fix for the flaw in the Win32k.sys file.

Discuss in our Forum

Read 4828 times Last modified on Wednesday, 21 December 2011 07:14

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.