New Vulnerability in Windows 7 64 bit

Published: 2011-12-21
Last Updated: 2011-12-21 01:11:12 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

A person known by the alias of "w3bd3vil" on twitter released an HTML snippet that will cause the 64 bit version of Windows 7 to blue screen if viewed under Safari. The underlying vulnerability is however not a flaw in Safari but rather a flaw in the Windows kernel mode device driver, win32k.sys.

The proof of concept code by w3bd3vil only triggers a system crash. However, the system crash is the result of memory corruption and there is a possibility that this flaw could be used to execute arbitrary code. In order to accomplish this, the attacker would also need to work around the Windows 7 protection like DEP and ASLR. How to bypass these protections has been shown for other exploits. 

A successful code execution would be very serious in this case. Win32k.sys, as kernel mode code, runs with system privileges and an attacker would obtain full access, exceeding the privileges of the user triggering the code.

Quick summary: Watch out for more on this over the next days. This could evolve either into a local privilege escalation issue or a remote code execution as admin problem. In particular if triggered by more popular browsers (Internet Explorer, Firefox, Chrome).

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

3 comment(s)


Does anyone actually run Safari on Windows :D :D
@James Safari is often included in the download for iTunes (at least in the past). It is probably on a lot more computers than you might expect.
The basis of this seems to have been known about for a while (2005):

Diary Archives