Wednesday, December 21st 2011

Windows 7 Plus Web Browser Plus Special Sauce Make Simple Blue Screen Recipe!

To make this delicious poison dish, simply take a large dollop of Windows 7 Professional, mix it with a portion of Safari and add a dash of special iFrame sauce and voila! instant Blue Screen of Death. The flaw is triggered by running Apple's Safari web browser on a fully patched 64-bit Windows 7 Professional, then feeding it a web page containing a simple iFrame with an overly long height attribute, like this: < iframe height='18082563'> (remove the space after the first angle bracket) Result: Windows 7 falls over instantly with a memory corruption error. Ouch. Interestingly, it seems that 32-bit Windows 7 doesn't suffer from this vulnerability and neither does XP SP3 32-bit, although this is by no means certain at this point. The flaw appears to be in the win32k.sys kernel-mode driver, which is a common source of critical Windows vulnerabilities. It was first reported by Twitter user webDEViL (@w3bd3vil) and being a zero day vulnerability, there's currently no fix or workaround for it. However, the worst part about this critical vulnerability, is that Safari runs 100% in User Mode, which is effectively a type of sandbox, preventing an application from bringing down Windows, regardless of what it does. There's obviously a little loophole here though.

To prevent a malicious web page from taking out Windows 7 at the moment, inspection of every web page before being rendered by the browser would have to be performed by installed security software, which would tend to reduce browsing performance and increase CPU usage. Alternatively, just don't use Safari.

Respected security outfit Secunia has looked at this vulnerability and believe that the crash could be used to execute malicious code, rather than just kill the operating system. They have issued advisory SA47237 about this problem:
Description

A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to potentially compromise a user's system.

The vulnerability is caused due to a flaw in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large "height" attribute viewed using the Apple Safari browser.

Successful exploitation may allow execution of arbitrary code with kernel-mode privileges.

The vulnerability is confirmed on a fully patched Windows 7 Professional 64-bit. Other versions may also be affected.

Solution
No effective solution is currently available.

Provided and/or discovered by
webDEViL

Original Advisory
https://twitter.com/#!/w3bd3vil/status/148454992989261824
Additionally, Secunia's chief security specialist Carsten Eiram, expanded on this problem:
Based on our testing the impact could be more severe due to the type of crash and nature of the vulnerability i.e. crashing when attempting to write to invalid memory in a call to memmove(). Based on this we do consider remote code execution a possibility though it has not been proven at this time.

Other 64-bit versions could be affected. During testing we observed no crashes on Windows XP SP3 32-bit nor Windows 7 32-bit, but cannot completely rule out that these could be affected via different approaches.
As can be expected, this rather embarrassing zero day security flaw is being urgently looked into by Microsoft: "We are currently examining the issue and will take appropriate action to help ensure customers are protected" said Jerry Bryant, Group Manager, Response Communications Microsoft Trustworthy Computing. Of course, one must ask why is it only Safari that does this, so Apple should be equally concerned to fix their browser.

Below is an 11 second video demonstration of the flaw:

Source: InfoWorld
Add your own comment

24 Comments on Windows 7 Plus Web Browser Plus Special Sauce Make Simple Blue Screen Recipe!

#1
AlienIsGOD
Thanks Qubit :D now i know how to piss all my friends off that run 7 64bit :toast: :toast::pimp: :respect:
Posted on Reply
#2
qubit
Overclocked quantum bit
by: AlienIsGOD
Thanks Qubit :D now i know how to piss all my friends off that run 7 64bit :toast: :toast::pimp: :respect:
Yes, I can't wait to try it either. :D

Anyone want to try it and report on it here?
Posted on Reply
#3
BlackOmega
People actually use Safari on Windows??? :twitch:

I think it sucks on Mac, now I have all the more reason to hate Safari.
Posted on Reply
#4
Steevo
Win X64 uses random writes for the kernel and locations as a security measure. It seems like this is just a memory overflow that causes the system to freak out about safari not writing to its own memory. Safari soumds like it has a issues with the x64 setup.
Posted on Reply
#5
Kreij
Senior Monkey Moderator
Interesting.
Is Safari on Windows a 32 or 64 bit app?
How do the other browsers fair between their 32 and 64 bit versions?
Posted on Reply
#6
TheMailMan78
Banstick Dummy
I like how you left out the fact the same iframe will not cause a crash in IE, Opera or Firefox and is solely isolated to Safari. This is a Safari issue. Not a Windows issue.
Posted on Reply
#7
Mussels
Moderprator
by: Kreij
Interesting.
Is Safari on Windows a 32 or 64 bit app?
How do the other browsers fair between their 32 and 64 bit versions?
i dont think anyone at all uses 64 bit browsers. they just use 32 bit.
Posted on Reply
#8
Steevo
IE is 64 bit capable.
Posted on Reply
#9
Mussels
Moderprator
by: Steevo
IE is 64 bit capable.
separate .exe that requires separate plugins etc. hence, no one uses it.
Posted on Reply
#10
johnspack
Funny, all I've used is 64bit browsers for at least 2 years. Far more secure normally, as most malware is written for 32bit browsers. I'll stick with firefox64 now though, especially since flash is now working under 64 bit. I truly believe 32 bit browsers are much more vulnerable.
Posted on Reply
#11
micropage7
by: TheMailMan78
I like how you left out the fact the same iframe will not cause a crash in IE, Opera or Firefox and is solely isolated to Safari. This is a Safari issue. Not a Windows issue.
agree. its more like safari issue that makes windows crash
if its ok on FF, chrome and opera. its must be safari issue
Posted on Reply
#12
theJesus
by: Mussels
separate .exe that requires separate plugins etc. hence, no one uses it.
I use it on the rare occasions that I use IE
Posted on Reply
#13
johnspack
If chrome had a 64 bit version, I might consider it, but security demands 64bit in this day and age....
Posted on Reply
#14
TheMailMan78
Banstick Dummy
by: johnspack
If chrome had a 64 bit version, I might consider it, but security demands 64bit in this day and age....
I dont believe a 64-bit browser gives you anymore security then a 32-bit one. Do you have any links to support this claim?
Posted on Reply
#15
Undead46
Who the hell runs Safari on Win7? :)
Posted on Reply
#16
qubit
Overclocked quantum bit
by: TheMailMan78
I like how you left out the fact the same iframe will not cause a crash in IE, Opera or Firefox and is solely isolated to Safari. This is a Safari issue. Not a Windows issue.
by: micropage7
agree. its more like safari issue that makes windows crash
if its ok on FF, chrome and opera. its must be safari issue
The fault is in Windows and Safari, as I clearly explained in the article. Read it over again carefully, peeps. ;)
Posted on Reply
#17
garyinhere
by: qubit
The fault is in Windows and Safari, as I clearly explained in the article. Read it over again carefully, peeps. ;)
"If you put a penis where a vag was it won't work well" Chaz
Bono
Posted on Reply
#18
RejZoR
Why would anyone want to use Safari on Windows system?
Posted on Reply
#19
Drone
Opera 12 alpha in Windows 8 also can BSOD with corrupted memory error, I've discovered that bug when development builds of Windows 8 and Opera 12 just got released. Shame that Windows kernel is so faulty, there are some common kernel bugs since Windows 98 that affect all versions and weren't fixed even today.
Posted on Reply
#20
TheMailMan78
Banstick Dummy
by: qubit
The fault is in Windows and Safari, as I clearly explained in the article. Read it over again carefully, peeps. ;)
Ah so you are now gonna cover every single application that may crash an OS?
Posted on Reply
#21
Grings
Obviously Macs are more reliable than PC's
Posted on Reply
#22
qubit
Overclocked quantum bit
by: TheMailMan78
Ah so you are now gonna cover every single application that may crash an OS?
What's tickled you, mailman? There are two separate flaws here. Put them together and kaboom! It's pretty serious.

No need for anyone to apologize for Microsoft and Apple - they should fix it. It's good that this problem was exposed, as both pieces of software will now be that little bit more secure once these are patched. And who knows what other related flaws will be fixed once these two are patched.

by: Grings
Obviously Macs are more reliable than PC's
That's a joke, right?
Posted on Reply
#23
TheMailMan78
Banstick Dummy
by: qubit
What's tickled you, mailman? There are two separate flaws here. Put them together and kaboom! It's pretty serious.

No need for anyone to apologize for Microsoft and Apple - they should fix it. It's good that this problem was exposed, as both pieces of software will now be that little bit more secure once these are patched. And who knows what other related flaws will be fixed once these two are patched.



That's a joke, right?
I'm not pickin at ya man. I'm just saying its not a big deal. I mean any software not coded correctly can cause a BSOD in Windows. Is this news because you personally don't like Apple and Microsoft or do the people of TPU use Safari? See what I'm getting at? Anyway opinion aside its a good write up. :toast:
Posted on Reply
#24
qubit
Overclocked quantum bit
by: TheMailMan78
I'm not pickin at ya man. I'm just saying its not a big deal. I mean any software not coded correctly can cause a BSOD in Windows. Is this news because you personally don't like Apple and Microsoft or do the people of TPU use Safari? See what I'm getting at? Anyway opinion aside its a good write up. :toast:
Oh yes ya are! :laugh: :toast:

No, the kicker is that it's user mode software, which isn't supposed to crash the OS, whatever it does.

Also, of course I had to write up this story, because:

- It's been widely reported, it's easy to try out and it's a bit of an oops moment for MS, which is always newsworthy, lol

- It's nothing to do with my feelings about Apple & Microsoft: any company would be fair game over a cockup like this :)

- Just look at the headline I made up! And the first line to go with it. I beta tested it for humour on a couple of friends before publishing it and it passed the laugh test with flying colours! I think it's my favourite title ever :D
Posted on Reply
Add your own comment