agsandrew - Fotolia
Windows Meltdown patches open up more severe issue
A security researcher discovered the recent Windows Meltdown patches may fix the Intel flaws, but also introduced a more severe vulnerability in some versions of Windows.
Microsoft may have remediated one vulnerability with its Windows Meltdown patches, but a security researcher said the fixes created a new, more dangerous flaw for some.
According to Ulf Frisk, a security researcher based in Sweden, the patches Microsoft released for Windows 7 x64 and Windows Server 2008 in January and February 2018 were successful in protecting against Meltdown but "opened up a vulnerability way worse" that could allow "any process to read the complete memory contents at gigabytes per second ... [and] write to arbitrary memory as well."
"The User/Supervisor permission bit was set to User in the PML4 self-referencing entry. This made the page tables available to user mode code in every process. The page tables should normally only be accessible by the kernel itself," Frisk wrote in a blog post. "Once read/write access has been gained to the page tables it will be trivially easy to gain access to the complete physical
Frisk developed a tool to test if a system is vulnerable, but noted that only systems running the patches from January or February will be at risk. "If your system isn't patched since December 2017 or if it's patched with the 2018-03 patches or later it will be secure," he wrote.
A Microsoft spokesperson said, "We released a security update for Windows 7 Service Pack 1 (x64) and Windows Server 2008 R2 Service Pack 1 (x64). Customers who apply the updates, or have automatic updates enabled, are protected."
Mark Nunnikhoven, vice president of cloud research at Trend Micro, said it was important to note that the Windows Meltdown patches didn't create a vulnerability to read the memory, but rather introduced "a misconfiguration that exposes memory unintentionally.
Mark Nunnikhovenvice president of cloud research, Trend Micro
Experts react to Windows Meltdown patches
Tod Beardsley, research director at Rapid7, said Frisk's research is solid but added that the risk might be lessened since "the exposure only lasted a couple months in almost all scenarios."
"It would be unusual for Windows systems to get the January or February patches, but not yet have the March patches by now, since most enterprises that apply patches also tend to apply them automatically," Beardsley told SearchSecurity. "However, if your enterprise fast-tracked Spectre and Meltdown patches back in January but hasn't updated since, then now is a fine time to update -- the exposure introduced in these patches are indeed worse than the original exposures. The same rationale for emergency patching in January certainly applies to this issue as well.
"The first patches that came out introduced not only a performance hit but also unwanted behavior such as system reboots, so much so that Intel even advised its customers to wait for a stable patch," Segura told SearchSecurity. "This gives us an idea of the