Microsoft’s Windows 7 Meltdown patch created ‘worse’ flaw

Microsoft’s updates for the Meltdown microprocessor mega-flaw inadvertently left users running Windows 7 64-bit systems open to a “way worse” flaw, a researcher has claimed.

To recap, Meltdown (aka F**CKWIT or CVE-2017-5754) is a proof-of-concept hardware vulnerability uncovered almost simultaneously by several groups of researchers through which an attacker could access the contents of kernel memory (passwords, encryption keys, say) from the part used by ordinary applications.

An extremely inviting target for any attacker, which is why Microsoft sprang into action to mitigate the vulnerability (in addition to BIOS updates from vendors) across different Windows versions in two rounds of updates in January and February.

But according to Ulf Frisk, something went awry starting with the January update when applied to Windows 7 and Windows Server 2008 R2, which miss-set controlling permissions for something called the Page Map Level 4 (PML4).

This is a table used by Intel microprocessors to “translate the virtual addresses of a process into physical memory addresses in RAM.”

Set correctly, only the kernel should be able to access this table. The result of the issue is that an attacker aware of the flaw would have the ability to break out of the application space and take over a system.

All this from a simple software mistake:

No fancy exploits were needed. Windows 7 already did the hard work of mapping in the required memory into every running process. Exploitation was just a matter of read and write to already mapped in-process virtual memory. No fancy APIs or syscalls required – just standard read and write!

How should Windows users react?

According to Frisk, Microsoft’s March update patched the problem, so if you are up to date then the newly-introduced PML4 bug has now been removed.

Only Windows 7 x64 systems that received the January and/or February updates were affected:

Other Windows versions – such as Windows 10 or 8.1 are completely secure with regards to this issue and have never been affected by it.

It’s not often that a security update makes a system more vulnerable than it was before its application, but that appears to be the bottom line with this one.

First came the mitigation for the flaw, which created a new and separate flaw, which required a new fix to patch the fix.

This brings home how difficult it can be to either mitigate or fully patch security flaws that have their origin in the way hardware was designed anything up to two decades ago.

These flaws exist at such a low level that even a small mistake can open another vulnerability.

Not to mention that emboldened researchers are now poking around at this level looking for new vulnerabilities and oversights, resulting in a trickle of new proof-of-concepts with a side channel theme.

Pushing mitigations and patches that don’t slow down microprocessors or create new problems while fending off inquisitive researchers is putting Microsoft, Intel and other big vendors outside their comfort zone.

Baffled users look on and wonder what it all means.  As far as 2018 is concerned, the answer is most likely a lot more work and unpredictability.

For a definitive explanation of these vulnerabilities and why they matter, read our take on Meltdown and Spectre.

And make sure to apply the latest patches from Microsoft – like we always say, Patch Early, Patch Often.