Apple Safari used to exploit zero-day security hole in Windows 7

Vulnerability lets hackers inject malicious code on victim PCs through overly large Web page iFrames

Security company Secunia today announced a highly critical zero-day vulnerability affecting Windows 7, exploitable via Apple's Safari browser, of all things. Secunia confirmed that the vulnerability affects fully patched Windows 7 Professional 64-bit and cautioned that other versions may be affected.

The remotely exploitable vulnerability, caused by an error in win32k.sys, enables a hacker to run arbitrary code -- such as malware -- on a victim's machine when he or she visits a specially crafted Web page using Safari. Specifically, the Web page would simply need to contain an iFrame -- an HTML element that is typically used to pull content from other sources onto a Web page -- with an overly large "height" attribute.

The vulnerability was first made public via Twitter user "w3bd3vil," who tweeted on Sunday, "<iframe height='18082563'></iframe> causes a BSoD [blue screen of death] on win 7 x64 via Safari. Lol!"

If there's a silver lining, it's that most Windows users don't use Safari for Web browsing. It has a 5 percent market share among all browsers on Windows desktops, according to NetMarketshare. For comparision, Opera has 1.55 percent, Chrome has 18 percent, Firefox has 22 percent, and Internet Explorer has 56 percent.

However, as noted by Kaspersky Labs' blog, it's possible that other browsers could be used to exploit the vulnerability.

This story, "Apple Safari used to exploit zero-day security hole in Windows 7," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.