Meltdown Fixes Brought Bigger Security Issues for Windows 7 Machines
When trying to fix Meltdown processor vulnerabilities, Microsoft apparently introduced an even worse security bug on Windows 7 machines, a researcher has claimed. Ulf Frisk, a security researcher, suggests that Windows maker's initial Meltdown fixes for 64-bit Windows 7 and Server 2008 R2 left a crucial kernel memory table readable/writable for user-level processes.
This means that any malware on those machines or a logged in user could gain admin privileges and extract and modify any information in RAM. "Did you think Meltdown was bad? Unprivileged applications being able to read kernel memory at speeds possibly as high as megabytes per second was not a good thing," Frisk writes. "Meet the Windows 7 Meltdown patch from January."
It stopped Meltdown but opened up a vulnerability way worse ... It allowed any process to read the complete memory contents at gigabytes per second, oh - it was possible to write to arbitrary memory as well.
When things get worse... Meltdown patch for Windows 7 gave apps access to kernel memory
Frisk has published a proof of concept, revealing that the problem came from a single bit being accidentally set by the kernel in a CPU page table entry. This bit enables read-write user-mode access to the top-level page table itself. "Windows 7 already did the hard work of mapping in the required memory into every running process," Frisk wrote. "Exploitation was just a matter of read and write to already mapped in-process virtual memory. No fancy APIs or syscalls required – just standard read and write!"
In short - the User/Supervisor permission bit was set to User in the PML4 self-referencing entry. This made the page tables available to user mode code in every process. The page tables should normally only be accessible by the kernel itself.
The PML4 is the base of the 4-level in-memory page table hierarchy that the CPU Memory Management Unit (MMU) uses to translate the virtual addresses of a process into physical memory addresses in RAM.
The problem arrived with Microsoft's Meltdown patch (CVE-2017-5754) released in the January Patch Tuesday that accidentally flipped a bit that controls the access permission for kernel memory. The problem was fixed without any fanfare in this month's Patch Tuesday updates. "If your system isn't patched since December 2017 or if it's patched with the 2018-03 patches or later it will be secure," Frisk added.
Windows 8 and Windows 10 wasn't affected to this issue. Those on Windows 7 are recommended to install March 13 security updates at the earliest to fix the issue.
- When we asked Microsoft for a confirmation, the company said it's aware of the report and is "looking into it." More technical details here.