Possible New Zero-Day Windows 7 Flaw Under InvestigationPossible New Zero-Day Windows 7 Flaw Under Investigation
Specially crafted Web page viewed with Safari causes 'blue screen of death,' remote execution
December 22, 2011
Microsoft is studying a newly disclosed bug in Windows 7 that that lets the attacker crash a patched Windows 7 machine and ultimately allow an attacker to hack the machine when it's running Apple's Safari browser.
"The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large "height" attribute viewed using the Apple Safari browser," Secunia reported in an advisory earlier this week. "Successful exploitation may allow execution of arbitrary code with kernel-mode privileges."
Secunia has confirmed the new memory corruption flaw in 64-bit versions of Windows 7 Professional, but says it might exist in other versions as well.
“We’re looking into an issue that may cause unexpected behavior in certain 64-bit Windows installations. We will take appropriate action to best protect our customers," says Jerry Bryant, group manager, response communications for Microsoft Trustworthy Computing.
Word of the flaw first came to light when a researcher who goes by the handle webDEViL first tweeted about it.
According to a post yesterday on the Cyberarms blog, the flaw at first causes Windows 7 to render the "blue screen of death," and then can be used to create a zero-day exploit.
"Just a single line stored in an html file with the right number causes the crash," according to the blog, indicating there also appears to be an issue in Safari that allows this malicious activity. "As soon as you attempt to open the webpage with Safari, your Windows 7 instantly crashes. Hopefully Apple will get this patched quickly."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
Passwords Are Passe: Next Gen Authentication Addresses Today's Threats
How to Deploy Zero Trust for Remote Workforce Security
What Ransomware Groups Look for in Enterprise Victims
Concerns Mount Over Ransomware, Zero-Day Bugs, and AI-Enabled Malware
Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks
9 Traits You Need to Succeed as a Cybersecurity Leader
The Ultimate Guide to the CISSP
Modernize your Security Operations with Human-Machine Intelligence
The Evolving Ransomware Threat: What Business Leaders Should Know About Data Leakage
Building Immunity: The 2021 Healthcare and Pharmaceutical Industry Cyber Threat Landscape Report