Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: New Vulnerability in Windows 7 64 bit - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New Vulnerability in Windows 7 64 bit

A person known by the alias of "w3bd3vil" on twitter released an HTML snippet that will cause the 64 bit version of Windows 7 to blue screen if viewed under Safari. The underlying vulnerability is however not a flaw in Safari but rather a flaw in the Windows kernel mode device driver, win32k.sys.

The proof of concept code by w3bd3vil only triggers a system crash. However, the system crash is the result of memory corruption and there is a possibility that this flaw could be used to execute arbitrary code. In order to accomplish this, the attacker would also need to work around the Windows 7 protection like DEP and ASLR. How to bypass these protections has been shown for other exploits. 

A successful code execution would be very serious in this case. Win32k.sys, as kernel mode code, runs with system privileges and an attacker would obtain full access, exceeding the privileges of the user triggering the code.

Quick summary: Watch out for more on this over the next days. This could evolve either into a local privilege escalation issue or a remote code execution as admin problem. In particular if triggered by more popular browsers (Internet Explorer, Firefox, Chrome).

https://secunia.com/advisories/47237/

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Intrusion Detection In-Depth - SANS London July 2019

Johannes

3563 Posts
ISC Handler
Does anyone actually run Safari on Windows :D :D
James

34 Posts
@James Safari is often included in the download for iTunes (at least in the past). It is probably on a lot more computers than you might expect.
James
4 Posts
The basis of this seems to have been known about for a while (2005):

https://bugzilla.mozilla.org/show_bug.cgi?id=320430
Alex

19 Posts

Sign Up for Free or Log In to start participating in the conversation!