To make this delicious poison dish, simply take a large dollop of Windows 7 Professional, mix it with a portion of Safari and add a dash of special iFrame sauce and voila! instant Blue Screen of Death. The flaw is triggered by running Apple's Safari web browser on a fully patched 64-bit Windows 7 Professional, then feeding it a web page containing a simple iFrame with an overly long height attribute, like this: < iframe height='18082563'></iframe> (remove the space after the first angle bracket) Result: Windows 7 falls over instantly with a memory corruption error. Ouch. Interestingly, it seems that 32-bit Windows 7 doesn't suffer from this vulnerability and neither does XP SP3 32-bit, although this is by no means certain at this point. The flaw appears to be in the win32k.sys kernel-mode driver, which is a common source of critical Windows vulnerabilities. It was first reported by Twitter user webDEViL (@w3bd3vil) and being a zero day vulnerability, there's currently no fix or workaround for it. However, the worst part about this critical vulnerability, is that Safari runs 100% in User Mode, which is effectively a type of sandbox, preventing an application from bringing down Windows, regardless of what it does. There's obviously a little loophole here though.To prevent a malicious web page from taking out Windows 7 at the moment, inspection of every web page before being rendered by the browser would have to be performed by installed security software, which would tend to reduce browsing performance and increase CPU usage. Alternatively, just don't use Safari.

Respected security outfit Secunia has looked at this vulnerability and believe that the crash could be used to execute malicious code, rather than just kill the operating system. They have issued advisory SA47237 about this problem:

Description

A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to potentially compromise a user's system.

The vulnerability is caused due to a flaw in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large "height" attribute viewed using the Apple Safari browser.

Successful exploitation may allow execution of arbitrary code with kernel-mode privileges.

The vulnerability is confirmed on a fully patched Windows 7 Professional 64-bit. Other versions may also be affected.

Solution
No effective solution is currently available.

Provided and/or discovered by
webDEViL

Original Advisory
twitter.com/#!/w3bd3vil/status/148454992989261824

Additionally, Secunia's chief security specialist Carsten Eiram, expanded on this problem:

Based on our testing the impact could be more severe due to the type of crash and nature of the vulnerability i.e. crashing when attempting to write to invalid memory in a call to memmove(). Based on this we do consider remote code execution a possibility though it has not been proven at this time.

Other 64-bit versions could be affected. During testing we observed no crashes on Windows XP SP3 32-bit nor Windows 7 32-bit, but cannot completely rule out that these could be affected via different approaches.

As can be expected, this rather embarrassing zero day security flaw is being urgently looked into by Microsoft: "We are currently examining the issue and will take appropriate action to help ensure customers are protected" said Jerry Bryant, Group Manager, Response Communications Microsoft Trustworthy Computing. Of course, one must ask why is it only Safari that does this, so Apple should be equally concerned to fix their browser.

Below is an 11 second video demonstration of the flaw: