Meltdown Patch Opened Bigger Security Hole on Windows 7
Microsoft’s Meltdown patch has opened an even bigger security hole on Windows 7, allowing any user-level application to read content from the operating system’s kernel, and even write data to kernel memory.
Swedish IT security expert Ulf Frisk made the discovery earlier this month while working on PCILeech, a device he created a few years back for carrying out Direct Memory Access (DMA) attacks and dumping protected OS memory.
Frisk says that Microsoft’s Meltdown patch (for CVE-2017-5754) —released in the January 2018 Patch Tuesday— accidentally flipped a bit that controls the access permission for kernel memory. Frisk explains:
In short – the User/Supervisor permission bit was set to User in the PML4 self-referencing entry. This made the page tables available to user mode code in every process. The page tables should normally only be accessible by the kernel itself.
The PML4 is the base of the 4-level in-memory page table hierarchy that the CPU Memory Management Unit (MMU) uses to translate the virtual addresses of a process into physical memory addresses in RAM.
This issue affected only 64-bit versions of Windows 7 and Windows Server 2008 R2, Frisk said. We say affected because Microsoft patched the bug by flipping the PML4 permission bit back to its original value in this month’s Patch Tuesday.
Windows 7 and Server 2008 R2 users should make sure they installed both the January 2018 and March 2018 Patch Tuesday releases.
Windows 10 or 8.1 systems were never affected or put at risk. Physical access is required to exploit the bug Frisk found (and described on his blog, here).