Microsoft's January and February security fixes for Intel's Meltdown processor vulnerability opened up an even worse security hole on Windows 7 PCs and Server 2008 R2 boxes.
This is according to researcher Ulf Frisk, who previously found glaring shortcomings in Apple's FileVault disk encryption system.
We're told Redmond's early Meltdown fixes for 64-bit Windows 7 and Server 2008 R2 left a crucial kernel memory table readable and writable for normal user processes. This, in turn, means any malware on those vulnerable machines, or any logged-in user, can manipulate the operating system's memory map, gain administrator-level privileges, and extract and modify any information in RAM.
The Meltdown chip-level bug allows malicious software, or unscrupulous logged-in users, on a modern Intel-powered machine to read passwords, personal information, and other secrets from protected kernel memory. But the security fixes from Microsoft for the bug, on Windows 7 and Server 2008 R2, issued in January and February, ended up granting normal programs read and write access to all of physical memory.
Sunk by its own hand
According to Frisk, who backed up his claim with a detailed breakdown and a proof-of-concept exploit, the problem boils down to a single bit accidentally set by the kernel in a CPU page table entry. This bit enabled read-write user-mode access to the top-level page table itself.
On Windows 7 and Server 2008 that PML4 table is at a fixed address, so it can always be found and modified by exploit code. With that key permission bit flipped from supervisor-only to any-user, the table allowed all processes to modify said table, and thus pull up and write to memory addresses they are not supposed to reach.
Think of these tables as a telephone directory for the CPU, letting it know where memory is located and what can access it. Microsoft's programmers accidentally left the top-level table marked completely open for user-mode programs to alter, allowing them to rewrite the computer's directory of memory mappings.
Further proof-of-concept code can be found here.
"Windows 7 already did the hard work of mapping in the required memory into every running process," Frisk explained. "Exploitation was just a matter of read and write to already mapped in-process virtual memory. No fancy APIs or syscalls required – just standard read and write!"
Windows 8.x and Windows 10 aren't affected. The March 13 Patch Tuesday updates contain a fix that addresses this permission bit cockup for affected versions, we're told.
Microsoft did not respond to a request for comment on the matter.
In short, patch your Windows 7 and Server 2008 R2 machines with the latest security updates to protect against this OS flaw, otherwise any processes or users can tamper with and steal data from physical RAM, and give themselves admin-level control. Or don't apply any of the Meltdown fixes and allow programs to read from kernel memory.
Networking not working
Fingers crossed your system isn't among those that will suffer networking woes caused by the March security patches. Microsoft's security updates this month broke static IP address and vNIC settings on select installations, knocking unlucky virtual machines, servers, and clients offline.
For example, with patch set KB4088878 for Windows 7 and Server 2008 R2, Redmond admitted:
A new Ethernet virtual Network Interface Card (vNIC) that has default settings may replace the previously existing vNIC, causing network issues after you apply this update. Any custom settings on the previous vNIC persist in the registry but are unused. Microsoft is working on a resolution and will provide an update in an upcoming release.
Static IP address settings are lost after you apply this update. Microsoft is working on a resolution and will provide an update in an upcoming release.
Prevent data theft, or have working networking. Tough choice. ®
Updated to add
Those March updates may not have been enough. Grab this out-of-band patch for Windows 7 and Server 2008 R2.