Possible New Zero-Day Windows 7 Flaw Under Investigation
Specially crafted Web page viewed with Safari causes 'blue screen of death,' remote execution
Microsoft is studying a newly disclosed bug in Windows 7 that that lets the attacker crash a patched Windows 7 machine and ultimately allow an attacker to hack the machine when it's running Apple's Safari browser.
"The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large "height" attribute viewed using the Apple Safari browser," Secunia reported in an advisory earlier this week. "Successful exploitation may allow execution of arbitrary code with kernel-mode privileges."
Secunia has confirmed the new memory corruption flaw in 64-bit versions of Windows 7 Professional, but says it might exist in other versions as well.
“We’re looking into an issue that may cause unexpected behavior in certain 64-bit Windows installations. We will take appropriate action to best protect our customers," says Jerry Bryant, group manager, response communications for Microsoft Trustworthy Computing.
Word of the flaw first came to light when a researcher who goes by the handle webDEViL first tweeted about it.
According to a post yesterday on the Cyberarms blog, the flaw at first causes Windows 7 to render the "blue screen of death," and then can be used to create a zero-day exploit.
"Just a single line stored in an html file with the right number causes the crash," according to the blog, indicating there also appears to be an issue in Safari that allows this malicious activity. "As soon as you attempt to open the webpage with Safari, your Windows 7 instantly crashes. Hopefully Apple will get this patched quickly."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author
You May Also Like
Unleashing AI to Assess Cyber Security Risk
Nov 12, 2024Securing Tomorrow, Today: How to Navigate Zero Trust
Nov 13, 2024The State of Attack Surface Management (ASM), Featuring Forrester
Nov 15, 2024Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024The Right Way to Use Artificial Intelligence and Machine Learning in Incident Response
Nov 20, 2024