Microsoft confirms Windows vulnerability
Microsoft has posted on its German-language Chief Security Advisor Blog about the Windows vulnerability reported last Tuesday. The post states that the company was able to reproduce a situation in which a specially crafted HTML page could cause a blue screen when opened with Safari on a 64-bit system.
However, "at this time, our colleagues in the US do not believe that the vulnerability is capable of infecting Windows systems with malware", so the company will "most likely not publish a security advisory for this vulnerability" – but since the investigation has not yet been concluded, a final decision has yet to be reached. Microsoft has not been able to reproduce the bug on 32-bit systems, which corresponds to the observations of The H's associates at heise Security. According to the blog entry, Microsoft is working with Apple to find out more about the context which leads to the crash.
The memory error occurs in the Windows system file, win32k.sys, which means that it could possibly also be created without Safari – and maybe even on 32-bit systems. Although the vulnerability lies not in the browser but in this Windows component, the relevant function is frequently called by browsers. Microsoft considers that, for this reason, Internet Explorer versions prior to 9 could be affected by this problem and recommends that individuals and business users should upgrade to the latest version.
Security firm Secunia rated the vulnerability as "highly critical", since it could lead to the injection and execution of malicious code. There is as yet no exploit and the Microsoft posting states that the company considers any wide-ranging exploitation of this vulnerability to be unlikely.
It is not yet certain who will turn out to be right. There have been cases in the past where Microsoft stated that a vulnerability could not be used to inject malicious code – and then had to retract its statement and provide a patch once an exploit had been published. The only certainty at the moment is that both black hats and white hats are currently working on developing a compatible exploit.