Microsoft’s Meltdown patch has opened an even bigger security hole on Windows 7, allowing any user-level application to read content from the operating system’s kernel, and even write data to kernel memory.
Swedish IT security expert Ulf Frisk made the discovery earlier this month while working on PCILeech, a device he created a few years back for carrying out Direct Memory Access (DMA) attacks and dumping protected OS memory.
Meltdown patch gave user-level apps access to kernel memory
Frisk says that Microsoft’s Meltdown patch (for CVE-2017-5754) —released in the January 2018 Patch Tuesday— accidentally flipped a bit that controls the access permission for kernel memory. Frisk explains:
The PML4 is the base of the 4-level in-memory page table hierarchy that the CPU Memory Management Unit (MMU) uses to translate the virtual addresses of a process into physical memory addresses in RAM.
Issue silently patched in March Patch Tuesday
This issue affected only 64-bit versions of Windows 7 and Windows Server 2008 R2, Frisk said. We say affected because Microsoft patched the bug by flipping the PML4 permission bit back to its original value in this month’s Patch Tuesday.
Windows 10 or 8.1 systems were never affected or put at risk. Physical access is required to exploit the bug Frisk found (and described on his blog, here).
Page Table PML4 self-referential entry mapped straight into user mode at: 0xfffff6fb7dbed000. Code to test this vulnerability is included in the latest PCILeech release https://t.co/KuTVVzZc5j
— Ulf Frisk (@UlfFrisk) March 27, 2018