Windows 7 Meltdown patch makes PCs even more vulnerable to threats

by Radu Tyrsina
Radu Tyrsina
Radu Tyrsina
CEO & Founder
Radu Tyrsina has been a Windows fan ever since he got his first PC, a Pentium III (a monster at that time). For most of the kids of... read more
Affiliate Disclosure

A few weeks ago, Microsoft quickly rolled out a patch to fix the Spectre and Meltdown security vulnerabilities lingering in Windows 7. Unfortunately, things didn’t end up as planned because the company’s Meltdown patch actually triggered even more security issues.

The patch brought more flaws on Windows 7, allowing all user-level apps to read content from the Windows kernel. More than that, the patch even enables the writing of data to the kernel memory. Here’s what you need to know about all this.

Here’s what the Meltdown patch triggered in Windows 7

Ulf Frisk, the Swedish expert in IT security, discovered the hole that this latest Microsoft patch triggers. He did so while working on PCILeech which is a device that he made a few years ago and that carries out Direct Memory Access (DMA) attacks and also dumps protected OS memory.

According to this expert, Microsoft’s Meltdown patch for CVE-2-17-5754 managed to cause a flaw in the bit that controls the kernel memory’s access permission by accident. Frisk opened his blog post by writing:

Meet the Windows 7 Meltdown patch from January. It stopped Meltdown but opened up a vulnerability way worse … It allowed any process to read the complete memory contents at gigabytes per second, oh – it was possible to write to arbitrary memory as well.

No fancy exploits were needed. Windows 7 already did the hard work of mapping in the required memory into every running process. Exploitation was just a matter of read and write to already mapped in-process virtual memory. No fancy APIs or syscalls required – just standard read and write!

Frisk continued and explained that the “User/Supervisor permission bit was set in the PML4 self-referencing entry,” and this triggered the availability of page tables to user mode code in all processes.

These page tables should only be accessible via the kernel under normal conditions. The PML4 is used by the CPU Memory Management Unit in order to translate the virtual addresses of processes into physical memory addresses in RAM.

Microsoft patches the issue with March 2018 Patch Tuesday release

According to the Swedish expert, the problem seems to have only affected 64-bit versions of Windows 7 and Windows Server 2008 R2. Microsoft fixed the flaw by flipping the PML4 permission back to the original value in the March’s Patch Tuesday. It seems that Windows 8.1 or Windows 10 computers are not affected by this issue.


This article covers:Topics: