Windows 7 Meltdown patch makes PCs even more vulnerable to threats

2 minute read

A few weeks ago, Microsoft quickly rolled out a patch to fix the Spectre and Meltdown security vulnerabilities lingering in Windows 7. Unfortunately, things didn’t end up as planned because the company’s Meltdown patch actually triggered even more security issues.

The patch brought more flaws on Windows 7, allowing all user-level apps to read content from the Windows kernel. More than that, the patch even enables the writing of data to the kernel memory. Here’s what you need to know about all this.

Here’s what the Meltdown patch triggered in Windows 7

Ulf Frisk, the Swedish expert in IT security, discovered the hole that this latest Microsoft patch triggers. He did so while working on PCILeech which is a device that he made a few years ago and that carries out Direct Memory Access (DMA) attacks and also dumps protected OS memory.

According to this expert, Microsoft’s Meltdown patch for CVE-2-17-5754 managed to cause a flaw in the bit that controls the kernel memory’s access permission by accident. Frisk opened his blog post by writing:

Meet the Windows 7 Meltdown patch from January. It stopped Meltdown but opened up a vulnerability way worse … It allowed any process to read the complete memory contents at gigabytes per second, oh – it was possible to write to arbitrary memory as well.

No fancy exploits were needed. Windows 7 already did the hard work of mapping in the required memory into every running process. Exploitation was just a matter of read and write to already mapped in-process virtual memory. No fancy APIs or syscalls required – just standard read and write!

Frisk continued and explained that the “User/Supervisor permission bit was set in the PML4 self-referencing entry,” and this triggered the availability of page tables to user mode code in all processes.

These page tables should only be accessible via the kernel under normal conditions. The PML4 is used by the CPU Memory Management Unit in order to translate the virtual addresses of processes into physical memory addresses in RAM.

Microsoft patches the issue with March 2018 Patch Tuesday release

According to the Swedish expert, the problem seems to have only affected 64-bit versions of Windows 7 and Windows Server 2008 R2. Microsoft fixed the flaw by flipping the PML4 permission back to the original value in the March’s Patch Tuesday. It seems that Windows 8.1 or Windows 10 computers are not affected by this issue.


Next up

KB4343909 bugs: Install fails, VPN won’t connect and more

By: Madeleine Dean
3 minute read

The latest Windows 10 v1803 cumulative update, KB4343909, brings a series of useful fixes and improvements that will make the OS more stable. Unfortunately, installing KB4343909 […]

Continue Reading

KB4343909 fixes DLL and high CPU issues on Windows 10 v1803

By: Madeleine Dean
2 minute read

The Windows 10 April Creators Update recently received a new cumulative update on August Patch Tuesday: KB4343909. This patch focuses on quality improvements only and doesn’t […]

Continue Reading

Here’s how Intel’s 9th Gen CPUs will improve Windows PC

By: Daniel Segun
2 minute read

A couple of months ago, we informed you about the 8th-Gen Core i5, i7 and i9 CPUs focused on gaming. But right now, it seems […]

Continue Reading