Secunia has reported that an unpatched security vulnerability in the 64-bit version of Windows 7 may be able to be exploited to inject and execute malicious code; currently, the only known exploit causes the system to crash.

It is possible to trigger a memory error in the system file win32k.sys by accessing a crafted HTML file in Safari. webDEViL, who discovered the vulnerability, has published a proof of concept on Twitter. His demo simply consists of an IFrame with a specific height which when displayed in Safari results in a blue screen of death.

The possibility that the vulnerability can be exploited by using means other than Safari cannot be ruled out. According to webDEViL, the source of the vulnerability is the function NtGdiDrawStream. The H's associates at heise Security have been able to reproduce the problem. The 32-bit version is not affected. When and whether Microsoft will fix the vulnerability is not known.

(djwm)