Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Remote Flaw In 64-Bit Windows 7

samzenpus posted more than 2 years ago | from the hole-in-the-wall dept.

Microsoft 284

Trailrunner7 writes "Researchers are warning about a new remotely exploitable vulnerability in 64-bit Windows 7 that can be used by an attacker to run arbitrary code on a vulnerable machine. The bug was first reported a couple of days ago by an independent researcher and confirmed by Secunia. In a message on Twitter, a researcher named w3bd3vil said that he had found a method for exploiting the vulnerability by simply feeding an iframe with an overly large height to Safari. The exploit gives the attacker the ability to run arbitrary code on the victim's machine."

cancel ×

284 comments

Sorry! There are no comments related to the filter you selected.

So all 5 of you running Safari on Windows (5, Funny)

elrous0 (869638) | more than 2 years ago | (#38452580)

Watch out!

Re:So all 5 of you running Safari on Windows (4, Insightful)

lgw (121541) | more than 2 years ago | (#38452596)

So, wait, is this a Win7 exploit or a Safari exploit?

Re:So all 5 of you running Safari on Windows (5, Insightful)

SirBitBucket (1292924) | more than 2 years ago | (#38452626)

Sounds like it is an exploit of an issue with a windows component, but it is currently only known to be exploitable through Safari. Kind of like you could hotwire a car (windows) if you happen to have replaced your windows with Saran wrap (Safari), and can get right through them.

Re:So all 5 of you running Safari on Windows (3, Informative)

Moryath (553296) | more than 2 years ago | (#38452920)

Sounds like it is an exploit of an issue with a windows component, but it is currently only known to be exploitable through Safari.

If it's something only exploitable through Safari, then it's probably a Safari bug! Let's take a look at the original security advisory:

The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large "height" attribute viewed using the Apple Safari browser.

So, they blame win32k.sys - but apparently the actual bug is that you can cause something resembling a buffer overflow by feeding Safari a ridiculously large bit of data as an iFrame.

Could go either way. Given that no other browser is currently deemed vulnerable, it sounds more like a Safari bug to me - just like the various PDF exploits were much more an Adobe than Microsoft responsibility.

Re:So all 5 of you running Safari on Windows (0, Flamebait)

Dishevel (1105119) | more than 2 years ago | (#38453038)

Not saying that Safari does not have some shit code in it that allows this to happen but there is no way that windows should allow the execution of the code because some shit piece of software can not handle its data.
So ... Fuck em both.

Re:So all 5 of you running Safari on Windows (5, Insightful)

Guy Harris (3803) | more than 2 years ago | (#38453106)

The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large "height" attribute viewed using the Apple Safari browser.

So, they blame win32k.sys - but apparently the actual bug is that you can cause something resembling a buffer overflow by feeding Safari a ridiculously large bit of data as an iFrame.

Could go either way.

Should go both ways.

Apple should fix the Safari bug so it doesn't mishandle IFRAMEs with "overly large" "height" attributes.

Microsoft should fix the in-kernel graphics code so you can't use it to break into the system.

Re:So all 5 of you running Safari on Windows (4, Informative)

hairyfeet (841228) | more than 2 years ago | (#38453250)

Well I'd be worried about Firefox as well, because the malware guys have figured out how to get around their XSS by using a hidden iFrame, which is why if you have any porn watching friends or relatives that use Yahoo Mail + FF you may have been getting spam from them lately. Don't know if it works on FF 9 and since I'm officially on vacation until the middle of next week I'm not gonna be loading a spare box with it and surfing porn vid sites to find out as I got a ton of games and a 6 core and intend to enjoy them! Just to be safe though be sure anybody you know with FF upgrades to the latest.

Since we are on security allow me to say why I wouldn't consider either Safari OR Firefox a suitable browser for Widows 7: Lack of low rights mode. I bet the reason you aren't seeing this on IE nor on the Chromium based (Chrome, Chromium, Dragon, SWIron) is that they support the browser running in low rights mode and that is in fact their default behavior. Now considering that low rights mode has been around for nearly 5 years now there really is no excuse for a modern browser not to support it, especially when as we all know running with least permissions is just good security practice.

So I would say if you are on Safari or Firefox or any other browser other than the Chromium based above look to see if your browser is running in low rights mode. If it is not switch browsers and be sure to drop the developers a line and tell them WHY you are switching away from their browser. It seems like doing the switch for the right reasons (increasing the user's security) will never happen so maybe if enough folks tell them "we won't use your browser because" then they will get off their asses and support this common sense feature.

Re:So all 5 of you running Safari on Windows (0, Offtopic)

Anonymous Coward | more than 2 years ago | (#38453460)

Don't know if it works on FF 9 and since I'm officially on vacation until the middle of next week I'm not gonna be loading a spare box with it and surfing porn vid sites to find out as I got a ton of games and a 6 core and intend to enjoy them!

So wait, you're on vacation until the middle of next week and you won't be surfing porn vid sites to instead play video games? Nerd.

Re:So all 5 of you running Safari on Windows (5, Informative)

kvvbassboy (2010962) | more than 2 years ago | (#38452678)

Quote from Secunia advisory:

A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large "height" attribute viewed using the Apple Safari browser. Successful exploitation may allow execution of arbitrary code with kernel-mode privileges

Safari is apparently the only currently known browser where this attack could be vectored from.

Re:So all 5 of you running Safari on Windows (4, Interesting)

tgd (2822) | more than 2 years ago | (#38452768)

64-bit windows requires no-execute on data pages (DEP), so there's no route you can cause data corruption and end up with executable code unless you have code running in the kernel to change the flags on the pages in memory.

If this is a theoretical exploit, the authors of it may not be that familiar with 64-bit Windows 7, or are running on a developer machine they explicitly disabled DEP.

Re:So all 5 of you running Safari on Windows (2, Interesting)

lgw (121541) | more than 2 years ago | (#38452966)

Well, there may be some Safari bug that allows an oversize iframe to be insterpreted as a script and interpreted, giving the place where the code can run, followed by some unrelated local priviledge escalation bug in Win7 for it to take advantage of.

Heck, security advisories come in "tweets" now? We're supposed to guess the problem from the first 140 characters of explanation, I suppose.

Re:So all 5 of you running Safari on Windows (5, Informative)

pclminion (145572) | more than 2 years ago | (#38453052)

Modern exploit techniques provide multiple ways around DEP. Obviously DEP is something that should always be used if the hardware supports it (and the lack of support in older processors can in some sense be considered a design flaw) but it's no panacea against exploits. For example see return-to-libc attacks and the return-oriented programming techniques which generalize it. Even then, those techniques are based on stack smashing attacks, which are not the only kind of attack possible.

Re:So all 5 of you running Safari on Windows (5, Informative)

Anonymous Coward | more than 2 years ago | (#38453158)

DEP is regularly beaten. The key is called "return oriented programming" (http://en.wikipedia.org/wiki/Return-oriented_programming), essentially oldschool "return to libc" on speed. It's a lot of painful work, but that's what it takes these days.

Re:So all 5 of you running Safari on Windows (0)

Anonymous Coward | more than 2 years ago | (#38453188)

64-bit windows requires no-execute on data pages (DEP), so there's no route you can cause data corruption and end up with executable code unless you have code running in the kernel to change the flags on the pages in memory.

If this is a theoretical exploit, the authors of it may not be that familiar with 64-bit Windows 7, or are running on a developer machine they explicitly disabled DEP.

What about using a return to libc sort of approach. You may not be able to execute code on the stack, but if you can pass parameters to Exec() or whatever, then it is almost just as good.

Re:So all 5 of you running Safari on Windows (5, Insightful)

MikeyO (99577) | more than 2 years ago | (#38452680)

Perhaps both, definitely a bug in win7. If something the unprivileged safari process does crashes the kernel, we know there must be a bug in win7.

Re:So all 5 of you running Safari on Windows (2, Informative)

Anonymous Coward | more than 2 years ago | (#38452744)

FTFA:

"A vulnerability has been discovered in MicrosWindows 7oft Windows, which can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large "height" attribute viewed using the Apple Safari browser. Successful exploitation may allow execution of arbitrary code with kernel-mode privileges," the Secunia advisory said.

So it's a windows bug, and the first way to access it that's been found is through safari.

Re:So all 5 of you running Safari on Windows (4, Funny)

Merk42 (1906718) | more than 2 years ago | (#38453170)

That's a relief, I'm not running MicrosWindows 7oft Windows

Re:So all 5 of you running Safari on Windows (5, Informative)

OverlordQ (264228) | more than 2 years ago | (#38452752)

The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large "height" attribute viewed using the Apple Safari browser.

No matter what Safari does, it shouldn't cause a crash in win32k.sys, so I'd go with Windows error via Safari error since there's probably other vectors that can also cause a crash in the same place.

Re:So all 5 of you running Safari on Windows (1, Insightful)

icebike (68054) | more than 2 years ago | (#38453108)

It didn't cause a crash, it allowed the execution of arbitrary code, which is probably worse.

We don't even know if the exploit occurred in the windows API, or some of the crapware that Safari drags along with it.
None of the other WebKit browsers can cause the same exploit so it may well not be in the core of safari at all, but rather in one of the helper drivers that get installed when you install Safari and iTunes, like Bonjour or ipod helper processes. Some of those things can't be easily sandboxed because they install as drivers.

This isn't the first instance of Safari being a vector to a windows vulnerability.

Re:So all 5 of you running Safari on Windows (2)

Dog-Cow (21281) | more than 2 years ago | (#38453412)

Neither the iTunes Helper nor Bonjour are drivers.

Re:So all 5 of you running Safari on Windows (2)

geekoid (135745) | more than 2 years ago | (#38453222)

Any exploit that gives control to an unauthorized user so the can run arbitrary code is a OS exploit.

Re:So all 5 of you running Safari on Windows (0)

dyingtolive (1393037) | more than 2 years ago | (#38452598)

Yeah, no kidding. So is this a Windows exploit, an iframe exploit, or a Safari exploit?

Re:So all 5 of you running Safari on Windows (1, Interesting)

Synerg1y (2169962) | more than 2 years ago | (#38452632)

An iframe is interpreted by the safari browser which has trust obviously (it's an .exe), so it's a safari vulnerability, article is mislabeled, or author never took sec 101.

Also 5 users is very generous, I have yet to see one, and I've seen my share. Most web developers make their salt without ever having to test on this browser for example.

Re:So all 5 of you running Safari on Windows (1)

rubycodez (864176) | more than 2 years ago | (#38452802)

wrong. This is made possible by data overflowing in using win32k.sys causing memory corruption. Safari is just showing the problem, other wares using the .sys could do it too

Re:So all 5 of you running Safari on Windows (2)

TheRealMindChild (743925) | more than 2 years ago | (#38453018)

win32k.sys is responsible for Windows window manager, keyboard input, and GDI among other things. So you are knee deep in it regardless what you do. Apparently this oh so important system file is quite familiar with being exploited [google.com] . At this rate, christ, at least do a real code audit of the friggin file.

Re:So all 5 of you running Safari on Windows (5, Informative)

GIL_Dude (850471) | more than 2 years ago | (#38452954)

It would be more correct to say the vulnerability (flaw) is in the windows kernel and the only currently known exploit is through the safari browser. There are decent odds that some other vector will be found through which to exploit this. But for now it looks like the exploit through safari uses a lack of correct input sanitization (in safari) in order to exploit the Windows kernel vulnerability. It would probably be possible to craft an exe to do privilege elevation using this kernel flaw by passing similar bad parameters to the kernel - but of course local elevation of privilege is much less of a threat than a true drive by like this exploit through safari.

Re:So all 5 of you running Safari on Windows (4, Insightful)

jedidiah (1196) | more than 2 years ago | (#38452634)

It shouldn't matter.

The OS simply should not melt because Apple can't code it's way out of a wet paper bag.

A real OS should simply not fall apart just because the users or programmers are idiots or malicious.

Re:So all 5 of you running Safari on Windows (3, Insightful)

Luckyo (1726890) | more than 2 years ago | (#38452682)

That's going to be one hell of a locked down OS. Will it be able to run anything at all?

Re:So all 5 of you running Safari on Windows (0)

Anonymous Coward | more than 2 years ago | (#38453406)

Yes it will. There are such super secure OS's out there. They are used for critical systems. Here is one example
. These OS's are not typically found on desktops or even servers however.

Re:So all 5 of you running Safari on Windows (0)

Anonymous Coward | more than 2 years ago | (#38453442)

Link again.
http://en.wikipedia.org/wiki/XTS-400

Re:So all 5 of you running Safari on Windows (3, Insightful)

Anonymous Coward | more than 2 years ago | (#38452738)

Well so much for every operating system ever created.

Re:So all 5 of you running Safari on Windows (1)

Anonymous Coward | more than 2 years ago | (#38452860)

I had that OS once. It ran Pong.

Re:So all 5 of you running Safari on Windows (3, Interesting)

hAckz0r (989977) | more than 2 years ago | (#38452726)

5 people? Unfortunately there are a LOT of people who have to run iTunes for their iPod/iPad/iPhone in order to get updates. Those updates usually try to install Safari along with the rest of the patches. Whether the user ever actually uses Safari is another question all together. I know I have not, but I often get tired of trying to unclick the selection boxes to not have it install every time there are updates. Most people will likely just give up and let Safari install even though it takes more download time. So, I bet its at least 6 people.

Re:So all 5 of you running Safari on Windows (0)

Anonymous Coward | more than 2 years ago | (#38452912)

The remote flaw requires them to actually use Safari, not just have it installed on their PC because the iTunes or QuickTime installer pushed it through.

Re:So all 5 of you running Safari on Windows (1)

Culture20 (968837) | more than 2 years ago | (#38453646)

there are a LOT of people who have to run iTunes for their iPod/iPad/iPhone in order to get updates. Those updates usually try to install Safari along with the rest of the patches.

It actually installed Safari once without asking, IIRC.

Re:So all 5 of you running Safari on Windows (1)

devitto (230479) | more than 2 years ago | (#38452826)

Nope - everyone running Win7/64 bit watch out - because if you can trigger it with Safari, you can trigger it with other mechisms, and rather than crash, get total access to the kernel - e.g. be able to write raw sectors, access other hardware and basically bypass all security.

The point is that if dropped into a advert pushed out into lots of ad syndicates, it could bypass all antivirus, DEP and other security to infect millions of machines in minutes. Once running in the kernel, it can unhook antivirus, and basically make a rebuild necessary to get the machine back - no amount of hitting 'update' will help.

Re:So all 5 of you running Safari on Windows (1)

Anonymous Coward | more than 2 years ago | (#38453120)

Nope - everyone running Win7/64 bit watch out - because if you can trigger it with Safari, you can trigger it with other mechisms, and rather than crash, get total access to the kernel - e.g. be able to write raw sectors, access other hardware and basically bypass all security.

I take it you have a proof of concept that can you show us? Or are you just talking out of your ass?

Re:So all 5 of you running Safari on Windows (1)

Dog-Cow (21281) | more than 2 years ago | (#38453478)

You are an unmitigated idiot. It's completely logical to state that a kernel bug can be exploited by means other than the one vector used to date. The only question is whether another vector will be found, no whether it exists.

Re:So all 5 of you running Safari on Windows (1)

boley1 (2001576) | more than 2 years ago | (#38453454)

Correction: There are 6 of us.

Re:So all 5 of you running Safari on Windows (1)

jessehager (713802) | more than 2 years ago | (#38453466)

Don't forget all of the other software out there that uses the same Webkit rendering engine as Safari. There could be many more vulnerable programs. And many more users at risk.

Since win32k.sys is the kernel mode driver portion of the win32 subsystem, any exploit that runs in it runs in kernel mode. Very nasty.

Headline.. Flaw in APPLE Safari for windows found (4, Insightful)

SirBitBucket (1292924) | more than 2 years ago | (#38452594)

So far you must use Safari under Win7 64bit to exploit this. But we would never want to say anything bad about Apple, only about Microsoft...

Re:Headline.. Flaw in APPLE Safari for windows fou (4, Informative)

The MAZZTer (911996) | more than 2 years ago | (#38452642)

TFA suggests it allows kernel privileges, so it is certainly a Windows exploit. But it may also be a Safari bug too, it depends whether or not the data it is passing to the Windows API calls that are causing the exploit would be considered reasonable or not.

Re:Headline.. Flaw in APPLE Safari for windows fou (2)

tgd (2822) | more than 2 years ago | (#38452736)

TFA suggests it allows kernel privileges, so it is certainly a Windows exploit. But it may also be a Safari bug too, it depends whether or not the data it is passing to the Windows API calls that are causing the exploit would be considered reasonable or not.

I wouldn't make that blanket assumption -- Apple installs a MASSIVE amount of crap into the system. A kernel exploit in Windows code is NOT the same as a kernel exploit in Apple code. A service, a device driver, a process running with admin rights without appropriate protections from user-space could all be a vector for a kernel exploit.

Re:Headline.. Flaw in APPLE Safari for windows fou (2)

geekoid (135745) | more than 2 years ago | (#38453264)

If the OS allows Safari to run any arbitrary code, or ANY software for that matter, then there is an OS problem.

Should Safari accept overlarge iFrame? no. That is also the problem.

Since Window is used far more then safari, and is a core componant of many systems, then putting it as a MS exploit is the responsible thing to do.

Re:Headline.. Flaw in APPLE Safari for windows fou (0)

Anonymous Coward | more than 2 years ago | (#38453458)

So what you're saying is that Apple wrote the code in win32k.sys, where the bug is? My mind is blown. One question: If Apple wrote Windows, then why does it suck so much?

Re:Headline.. Flaw in APPLE Safari for windows fou (5, Informative)

The MAZZTer (911996) | more than 2 years ago | (#38452740)

Addendum: <iframe height='18082563'></iframe> causes a BSoD by the Windows kernel so it is certainly a Windows bug. It would be trivial of Apple to hotfix it to prevent exploitation via Safari but any other application could theoretically exploit it and elevate their code. Of course it doesn't appear anyone else has actually gotten it to execute arbitrary code yet, despite the summary claim...

Re:Headline.. Flaw in APPLE Safari for windows fou (-1)

Anonymous Coward | more than 2 years ago | (#38452874)

In one sense yes.

It's difficult to say what sort of privileges Apple Safari has to the Microsoft systems, if they have special access to internal API's this could just aswell be a bug in the Apple Code.

It's more or less moot anyway, both make lots of horrible proprietary code, like quicktime.

Re:Headline.. Flaw in APPLE Safari for windows fou (0)

Dog-Cow (21281) | more than 2 years ago | (#38453522)

I hope you die, painfully and in full view of your family.

Seriously. How much irrational hate do you have?

Re:Headline.. Flaw in APPLE Safari for windows fou (1, Informative)

tgd (2822) | more than 2 years ago | (#38452878)

Addendum: <iframe height='18082563'></iframe> causes a BSoD by the Windows kernel so it is certainly a Windows bug. It would be trivial of Apple to hotfix it to prevent exploitation via Safari but any other application could theoretically exploit it and elevate their code. Of course it doesn't appear anyone else has actually gotten it to execute arbitrary code yet, despite the summary claim...

And likely won't -- Win7 64-bit requires DEP, so you can't corrupt a data page and end up executing code unless there's a defect in the CPU *or* you have code in the kernel to change the page type. And if you have code already in the kernel, you don't really need an exploit.

Its also not clear from the article if its corrupting kernel memory, or corrupting user memory. The driver crashing doesn't necessarily imply data in kernel space was corrupted, it just means the driver crashed for some reason.

Re:Headline.. Flaw in APPLE Safari for windows fou (1)

Anonymous Coward | more than 2 years ago | (#38453134)

This is a common misconception on the use of DEP. DEP is a mitigation, not a solution.
There are dozens of ways to get around DEP protection. It helps sometime, but not when you execute already existing (and useful) code inside the kernel/app.

Re:Headline.. Flaw in APPLE Safari for windows fou (1)

geekoid (135745) | more than 2 years ago | (#38453278)

because DEP is bug free?

Re:Headline.. Flaw in APPLE Safari for windows fou (1)

icebike (68054) | more than 2 years ago | (#38452794)

It seems unlikely this was found by accident, more likely by someone knowing about how the iframe would
be handled in windows and designing something purpose made to break that.

Not knowing how Safari is interfacing with windows, I can't guess if this is a problem in a windows API call or some tool-set used only by Safari. If none of the other Webkit browsers can trigger this bug it would seem more likely to be some safari specific middleware.

All 6 people using Safari on Win7 64bit should definitely avoid all 3 sites on the internet that might have deployed this exploit.

Re:Headline.. Flaw in APPLE Safari for windows fou (3, Interesting)

rabbit994 (686936) | more than 2 years ago | (#38452840)

The only confirmed anything I've seen is someone can BSOD the computer. Which while a bug, not Remote Code Execute, just Denial of Service attack.

Since this problem only exists in Safari, either Chrome/IE/Firefox are sanitizing those inputs to prevent that from reaching Windows kernel.

Furthermore, since this x64 bug only, my guess is this issue was patched in 32 but for some reason, WOW64 isn't seeing it or catching it.

Re:Headline.. Flaw in APPLE Safari for windows fou (5, Interesting)

Baloroth (2370816) | more than 2 years ago | (#38452698)

The flaw seems to be in a call to a Windows API.

It is possible to trigger a memory error in the system file win32k.sys by accessing a crafted HTML file in Safari....According to webDEViL, the source of the vulnerability is the function NtGdiDrawStream.

So it is possible other programs could be affected. It is also possible that Safari itself handles the function in a broken manner. Note that Firefox appears to also have crashes related to that function (on x86 Windows, though, it's like the second Google result for that function). So, really impossible to say at this point. Also, they could only cause Windows to crash, not to run arbitrary code or anything. So far anyways.

Re:Headline.. Flaw in APPLE Safari for windows fou (2)

slater.jay (1839748) | more than 2 years ago | (#38453062)

Accidental funny mod.

Re:Headline.. Flaw in APPLE Safari for windows fou (1)

TheRealMindChild (743925) | more than 2 years ago | (#38453178)

The prototype for the NtGdiDrawStream is as such:

BOOL NtGdiDrawStream(IN HDC hdcDst, IN ULONG cjIn, IN VOID* pvI);
So, simply speculating, this may be something like a ULONG going in, but it gets cast to a signed integer.

Re:Headline.. Flaw in APPLE Safari for windows fou (1)

devitto (230479) | more than 2 years ago | (#38452734)

Wrong - it's a MS bug in windows, it's just that they triggered it through Safari. A bit like saving saving a file in safari causing the machine to explode - not really Safari's fault.

Re:Headline.. Flaw in APPLE Safari for windows fou (-1, Redundant)

rubycodez (864176) | more than 2 years ago | (#38452770)

article text: "The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory". It is Microsoft's usual sloppy coding and lax security being the root cause of making safari problem possible.

Re:Headline.. Flaw in APPLE Safari for windows fou (0)

Anonymous Coward | more than 2 years ago | (#38452774)

So far you must use Safari under Win7 64bit to exploit this.

But we would never want to say anything bad about Apple, only about Microsoft...

Jobs is dead, so go for it.

This is a r eally scary exploit (0)

Anonymous Coward | more than 2 years ago | (#38452610)

"The only known attack vector for this vulnerability right now is the Safari browser running on Windows 7" - oh - never mind

Wait... (4, Funny)

SJHillman (1966756) | more than 2 years ago | (#38452628)

Safari runs on Windows? Any time I've tried running Apple software (iTunes, Safari, Quicktime) on Windows, it just takes forever to load, wants to spend all day updating, chews up my memory and craps on my processor. If someone is running Safari on Windows intentionally then they might be masochistic enough to welcome this 'feature'

Re:Wait... (1)

geekoid (135745) | more than 2 years ago | (#38453304)

I think you should have an actually professional look at your machine.
I run iTunes without any [problem on window7, x64. I also ran Safari for a while to check it out. It wasn't as good as Chrome so I ditched it.

And there is nothing special about the box I run them on.

It's an Apple exploit. (3, Insightful)

whatthef*ck (215929) | more than 2 years ago | (#38452636)

Shouldn't the posting have the Apple graphic instead of Microsoft?

Re:It's an Apple exploit. (3, Funny)

Mashiki (184564) | more than 2 years ago | (#38452910)

Nah. Easier to bash MS, this is /. after all. Critical thinking skills go out the Windows.

Re:It's an Apple exploit. (1)

Anonymous Coward | more than 2 years ago | (#38453272)

Actually, should be both. Safari may be the attack vector and there may be a bug there, but the OS kernel should NEVER allow memory corruption AT ALL, EVER . That's a part of its entire JOB. The fact that the kernel doesn't just crash Safari and continue on its way after booting the browser out of memory says there very well is a problem with the Win7 kernel.

Re:It's an Apple exploit. (0)

Anonymous Coward | more than 2 years ago | (#38453116)

A bug in the Windows kernel can be exploited through a bug in Apple's browser in such a way that it represents a security vulnerability. The researchers happened to discover that Apple's browser could be used to exploit the Windows bug, but it could very well be another program altogether.

Therefore, between focussing on the potentially disastrous kernel bug and the irrelevant browser bug, I believe we can agree that the focus should be placed on the kernel bug. Hence, the Microsoft logo.

Re:It's an Apple exploit. (1)

geekoid (135745) | more than 2 years ago | (#38453318)

Since windows allows arbitrary code to run, and is used by about 85% of the market, there is nothing wrong with the headline.

misleading headline (0)

Anonymous Coward | more than 2 years ago | (#38452654)

Safari is the only attack vector. This by definition is not a remote flaw as it requires you to do something to exploit a web browser, thus it is a 'local exploit'.

Re:misleading headline (3, Informative)

icebike (68054) | more than 2 years ago | (#38452900)

Safari is the only attack vector. This by definition is not a remote flaw as it requires you to do something to exploit a web browser, thus it is a 'local exploit'.

The web page can be remote, and can presumably gain control. You, the user, need do nothing but click a link, and might possibly be unaware that anything had happened.

Letting someone talk you into installing Safari also constitutes a Social Engineering exploit. So you might be right after all.

Re:misleading headline (3, Funny)

JDG1980 (2438906) | more than 2 years ago | (#38453650)

Letting someone talk you into installing Safari also constitutes a Social Engineering exploit. So you might be right after all.

Apple attempts this "exploit" every time someone installs or updates iTunes for Windows.

I had a better experience with Vista (-1)

Anonymous Coward | more than 2 years ago | (#38452656)

At least my 32-bit drivers WORKED. Now I get crashes and hard locks every day. Nvidia's crashes Firefox and Creative's kill my machine with IRQ errors. I thought I left this stuff behind with Windows 3.1 and DOS.

Re:I had a better experience with Vista (0)

Anonymous Coward | more than 2 years ago | (#38452828)

Just you, dude, just you.

Re:I had a better experience with Vista (2)

Dr_Barnowl (709838) | more than 2 years ago | (#38453434)

Did you have more than 4GB of RAM on this system before you installed 64-bit Windows? I was running with 6GB of RAM and seeing all sorts of crashes and nasties in 64-bit Linux, but nothing untoward in Windows. It turned out I had memory errors in the upper regions where 32-bit Windows could not reach.

Re:I had a better experience with Vista (0)

Anonymous Coward | more than 2 years ago | (#38453498)

Shut up and go back to Vista! And take your Betamax player and your New Coke with you!

Re:I had a better experience with Vista (1)

viperidaenz (2515578) | more than 2 years ago | (#38453628)

So its microsofts fault that nvidia and creative wrote buggy drivers?

Does anyone read anymore? (-1, Redundant)

mwfischer (1919758) | more than 2 years ago | (#38452672)

It's a Safari bug that happens to be run on Windows.

As much as I would like to see Microsoft go down in flames, it's a Safari bug.

Re:Does anyone read anymore? (-1, Redundant)

rubycodez (864176) | more than 2 years ago | (#38452764)

Don't you read anymore? "The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory". This is Microsoft buggy code causing issue, Safari problem is merely one way to cause rooting of machine, other softwares using this service will undoubtedly provide more cases.

Re:Does anyone read anymore? (3, Informative)

vux984 (928602) | more than 2 years ago | (#38452972)

This is Microsoft buggy code causing issue, Safari problem is merely one way to cause rooting of machine, other softwares using this service will undoubtedly provide more cases.

a) Yes, this is a bug in Windows. No question. Windows isn't validating the input, and should just reject it or throw an exeption or whatever. Crashing is not acceptable and represents a bug in windows.

b) This is also a bug in safari. Safari is not validating its input either. Its just blindly passing a request to create an 18million pixel tall iframe down to the Windows API somewhere...

c) Yes, other softwares will likely be found. But so far only safari is known to be in the unique position of using that API, passing it arbitrary remote content while failing to validate its input.

A bit of malicious code that explicitly does use that API actually has to get onto the local system first. Local exploits are much less serious than remote ones.

So yes, this is a windows bug. But it is also a safari bug. Both should be fixed.

Re:Does anyone read anymore? (2, Interesting)

0123456 (636235) | more than 2 years ago | (#38453420)

So yes, this is a windows bug. But it is also a safari bug. Both should be fixed.

So how does Safari know whether Windows can support an 18 million pixel high window without requesting one? If it's a valid value for the request, then an application should be able to assume that the OS will either fulfil the request or return an error, not execute arbitrary code.

I don't think I'd call this remote (4, Insightful)

sqlrob (173498) | more than 2 years ago | (#38452690)

Remote to me means "it's connected, you're vulnerable". This requires the user to take an action, getting some local data. From the description, you could have the same files on the file system and it would work.

Bad? Yeah. But not "plug it in, computer is pwned" bad.

Re:I don't think I'd call this remote (0)

Anonymous Coward | more than 2 years ago | (#38452834)

Remote to me means "it's connected, you're vulnerable". This requires the user to take an action, getting some local data. From the description, you could have the same files on the file system and it would work.

Bad? Yeah. But not "plug it in, computer is pwned" bad.

you're right, it's a local exploit... not a remote exploit

Re:I don't think I'd call this remote (1)

Anonymous Coward | more than 2 years ago | (#38453080)

Possibly remote, if said 'iFrame' was somewhere out on the Internet.

Want proof of damage? Inject this type of thing into the ad system that gets run on every search engine, and popular website out there. You'll find out really fast just how BAD it is. And YES. This sort of 'injection method' has been used before, specifically targeting Windows users.

It may be a 'small' target audience at the moment, Safari specifically on Win7 64bit, but that doesn't mean others haven't found a way to exploit it without the need for Safari.

Re:I don't think I'd call this remote (0)

Anonymous Coward | more than 2 years ago | (#38453154)

That is still a local exploit, not a remote one, just because you ran something located in a remote location doesn't make it a remote exploit.

wow (2)

cod3r_ (2031620) | more than 2 years ago | (#38452724)

just wow.. an iframe causes an attacker to get system level access.. wow again.

Seriously Safari? (0)

JTW (11913) | more than 2 years ago | (#38452842)

And the headline should be.. IF your running Safari on Win7-64 Bit.. how many people "really" do that? Hands? Okay.. now how many run Chrome instead of IE? Hands?

I rest my case.

Silly (0)

Anonymous Coward | more than 2 years ago | (#38452930)

"on Safari"

Who the hell runs Safari on Windows? That's just as dumb as running IE on OSX.

Re:Silly (4, Insightful)

ledow (319597) | more than 2 years ago | (#38453036)

Missing the point. Point is that userland code (and the example uses Safari but what should it matter *what* program activates it - it shouldn't be possible and can probably be easily activated by any sort of direct code) creates a BSOD in Windows.

That shouldn't happen - that's the whole point of an OS.

Re:Silly (2)

lennier1 (264730) | more than 2 years ago | (#38453056)

They just didn't as the right questions:

1) Does it affect other WebKit browsers (especially Chrome) as well?
2) If not, why should we give a shit?

Re:Silly (1)

jones_supa (887896) | more than 2 years ago | (#38453274)

1) Does it affect other WebKit browsers (especially Chrome) as well?

I am pondering this too.

Re:Silly (1)

c00rdb (945666) | more than 2 years ago | (#38453528)

They don't make IE for OSX anymore.

Really? (1, Interesting)

Nicros (531081) | more than 2 years ago | (#38453040)

For some reason I have a false sense of security now- if this is the kind of 'exploit' that gets reported and /.ed and that I need to worry about, life is good! I mean really- you have to have Win7 x64, with Safari AND then navigate to a site that serves up a bogus iframe height, AND uses the exploit to make bad on your machine. I can't imagine this affects too many people. Also, why is this a 'Windows Remote' exploit? Safari would seem to not handle the iframe exception, whereas IE, Firefox, Chrome, Opera DO? If this were a true windows exploit I would expect it to occur regardless of the browser. And what other kind of exploit (as it's defined ITA) is there besides a remote one? A local exploit, where someone turns off my machine? I read 'remote' and think RDP... which is not the case here at all.

Re:Really? (1)

jones_supa (887896) | more than 2 years ago | (#38453384)

Safari would seem to not handle the iframe exception, whereas IE, Firefox, Chrome, Opera DO? If this were a true windows exploit I would expect it to occur regardless of the browser.

Why do you think so? The browsers have different iframe code. Safari just happens to have code which in turn trips a Windows exploit. Ultimately the bug is not browser-related at all.

(Still, Safari could do a better job validating the input values, so there's kind of another bug.)

Obviously this proves that... (5, Funny)

forkfail (228161) | more than 2 years ago | (#38453066)

(check one)

[ ] Microsoft products are far less secure than Apple. Because everyone knows that Safari is completely safe always on Apple machines, and only fails on Windows.

[ ] Apple products are far less secure than Microsoft. Because obviously the hole in Microsoft security here is introduced through an Apple product, and really doesn't occur otherwise.

[ ] If people were just running Linux, they wouldn't be having these problems.

[ ] This is gonna be good. Ima gettin' my popcorn now!

Ah, the irony ... (1)

oneiros27 (46144) | more than 2 years ago | (#38453094)

It used to be that if my Mac crashed, I was in an MS program (word, powerpoint, IE back in the day) ... and now the roles have reversed.

Safari... (1)

pwolf (1016201) | more than 2 years ago | (#38453156)

Well there's the problem!

Windows / Safari (0)

Anonymous Coward | more than 2 years ago | (#38453300)

Lots of discussion over whether it's a Windows or Safari exploit/vulnerability. It allows you to exploit something Windows doesn't cater for, and make windows vulnerable. Safari shouldn't behave this way, it's a bug, but Windows should handle it and terminate the process at the extreme.

What it also means is that any process running not as Admin could get privileges, which would negate UAC, which is a Windows feature, not a Safari feature.

I'm sure the 5 users with Safari on Win 64 are worried.

This is definitely a Microsoft problem (0)

Anonymous Coward | more than 2 years ago | (#38453538)

I can't believe some people here are suggesting this is Safari's fault.
The Windows Operating System should be able to withstand faulty/malicious applications that make invalid API calls.
The kernel should be validating all API parameters, clearly it isn't here.
This is another MS Security Hole, hopefully they fix it ASAP.

FAIL (0)

Anonymous Coward | more than 2 years ago | (#38453588)

WTF would ANYONE run Safari on Windows??? If you want Safari, us a Mac... FAIL

Windows Classic not affected? (5, Interesting)

Fred Or Alive (738779) | more than 2 years ago | (#38453602)

After a bit bit of playing "let's intentionally crash Windows", it seems that using the Windows Classic skin fixes the bug, and the page renders fine (if a little uninteresting, it's basically a long page with a box on it). It BSODs on Windows Basic and Aero. I haven't a clue if this is a real fix, or if it's just that the magic number needed to crash the system is different with Windows Classic compared with Basic / Aero. Windows XP (32 bit) is fine as well (again page renders fine, no crashes of anything).

I personally think it's largely a Windows bug, even if Safari has a bug (that oddly only does anything on one version of Windows, and even then only with certain conditions), a programme doing something stupid should not crash the entire OS.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?