Back in January, Microsoft attempted to smooth over Intel’s buggy Meltdown fixes by issuing a patch of its own. Unfortunately, it seems that the Windows-maker has also dropped the ball on its patch, causing an even greater security hole in the process.
It was obvious from the reveal of Spectre and Meltdown’s scale that Intel would need help fixing and distributing its own patches to solve the many security flaws embedded into its processors. The efforts from Microsoft have been impeccable across this period, helping Intel distribute its own fixes and implementing a bug bounty program to help mop up potential remaining flaws that have yet to be discovered.
Security researcher Ulf Frisk, however, has come across a problem with Microsoft’s initial patch intended to fix both 64-bit Windows 7 and Server 2008 R2 systems. While it did dampen the issues caused by Meltdown, it simultaneously opened up a vulnerability that Frisk describes as “way worse … It allowed any process to read the complete memory contents at gigabytes per second, oh – it was possible to write to arbitrary memory as well.”
“No fancy exploits were needed. Windows 7 already did the hard work of mapping in the required memory into every running process,” continues Frisk. “Exploitation was just a matter of read and write to already mapped in-process virtual memory. No fancy APIs or syscalls required – just standard read and write!”
This was made possible due to the patch setting the user’s User/Supervisor permission bit to User in the PML4 self-referencing entry. “The page tables should normally only be accessible by the kernel itself,” says Frisk.
Luckily, this isn’t a widespread issue, affecting just 64-bit Windows 7 and Server 2008 R2 machines. Users on Windows 8.1 or 10 needn’t worry about the issue. Microsoft has yet to comment on the issue, meaning there is no timeframe on a fix.
KitGuru Says: I can’t claim to know how difficult it must be to fix an issue by sifting through thousands upon thousands of lines of code, but it is shocking how such issues can go unaddressed since January. And with it only affecting aging systems, it is uncertain as to what Microsoft’s response is going to be.