12/22/2011
12:59 PM
Connect Directly
Twitter
RSS
E-Mail

Possible New Zero-Day Windows 7 Flaw Under Investigation

Specially crafted Web page viewed with Safari causes 'blue screen of death,' remote execution



Microsoft is studying a newly disclosed bug in Windows 7 that that lets the attacker crash a patched Windows 7 machine and ultimately allow an attacker to hack the machine when it's running Apple's Safari browser.

"The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large "height" attribute viewed using the Apple Safari browser," Secunia reported in an advisory earlier this week. "Successful exploitation may allow execution of arbitrary code with kernel-mode privileges."

Secunia has confirmed the new memory corruption flaw in 64-bit versions of Windows 7 Professional, but says it might exist in other versions as well.

“We’re looking into an issue that may cause unexpected behavior in certain 64-bit Windows installations. We will take appropriate action to best protect our customers," says Jerry Bryant, group manager, response communications for Microsoft Trustworthy Computing.

Word of the flaw first came to light when a researcher who goes by the handle webDEViL first tweeted about it.

According to a post yesterday on the Cyberarms blog, the flaw at first causes Windows 7 to render the "blue screen of death," and then can be used to create a zero-day exploit.

"Just a single line stored in an html file with the right number causes the crash," according to the blog, indicating there also appears to be an issue in Safari that allows this malicious activity. "As soon as you attempt to open the webpage with Safari, your Windows 7 instantly crashes. Hopefully Apple will get this patched quickly."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Email This  | 
Print  | 
RSS
More Insights
Copyright © 2021 UBM Electronics, A UBM company, All rights reserved. Privacy Policy | Terms of Service