A person known by the alias of w3bd3vil on twitter released an HTML snippet that will cause the 64 bit version of Windows 7 to blue screen if viewed under Safari. The underlying vulnerability is however not a flaw in Safari but rather a flaw in the Windows kernel mode device driver, win32k.sys.
The proof of concept code by w3bd3vil only triggers a system crash. However, the system crash is the result of memory corruption and there is a possibility that this flaw could be used to execute arbitrary code. In order to accomplish this, the attacker would also need to work around the Windows 7 protection like DEP and ASLR. How to bypass these protections has been shown for other exploits.
A successful code execution would be very serious in this case. Win32k.sys, as kernel mode code, runs with system privileges and an attacker would obtain full access, exceeding the privileges of the user triggering the code.
Quick summary: Watch out for more on this over the next days. This could evolve either into a local privilege escalation issue or a remote code execution as admin problem. In particular if triggered by more popular browsers (Internet Explorer, Firefox, Chrome).
https://secunia.com/advisories/47237/
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The proof of concept code by w3bd3vil only triggers a system crash. However, the system crash is the result of memory corruption and there is a possibility that this flaw could be used to execute arbitrary code. In order to accomplish this, the attacker would also need to work around the Windows 7 protection like DEP and ASLR. How to bypass these protections has been shown for other exploits.
A successful code execution would be very serious in this case. Win32k.sys, as kernel mode code, runs with system privileges and an attacker would obtain full access, exceeding the privileges of the user triggering the code.
Quick summary: Watch out for more on this over the next days. This could evolve either into a local privilege escalation issue or a remote code execution as admin problem. In particular if triggered by more popular browsers (Internet Explorer, Firefox, Chrome).
https://secunia.com/advisories/47237/
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.