Microsoft’s early patches for the Meltdown chip flaw have introduced an even more serious vulnerability in Windows 7 that allows attackers to read kernel memory much faster and to write their own memory, according to an independent security researcher.
The discovery is the latest twist in a monthslong saga around Meltdown and Spectre, which together have affected virtually all modern computer chips.
The researcher, Ulf Frisk, discovered that the Microsoft-issued Windows 7 patches could allow an attacker to access every user-level computing process running on a machine. Normally, the hierarchy of Microsoft’s memory management would keep a number of operations secured on the kernel level.
An attacker would need a foothold into a computing system in order to exploit the vulnerability. But once that foothold is established, “no fancy exploits” are needed, Frisk said.
“Windows 7 already did the hard work of mapping in the required memory into every running process,” he wrote in a blog post. “Exploitation was just a matter of read and write to already mapped in-process virtual memory.”
In a statement to CyberScoop, a Microsoft spokesperson said the tech giant was aware of the issue and was looking into it. The company then issued a new software patch in response to Frisk’s research on March 29.
The vulnerability only affects the 64-bit versions of Windows 7 (Service Pack 1) and the second release of Windows Server 2008 (Service Pack 1), the Microsoft spokesperson added. While Frisk had originally said that Microsoft’s January and February patches are the only patches affected by the vulnerability, he later discovered that the company’s initial March patch did not completely close the security hole. Microsoft’s March 29 patch, however, does resolve the issue, Frisk said.
Although the vulnerability does not affect newer versions of Windows such as Windows 10, Windows 7 is still widely used. It was only at the beginning of this year that use of Windows 10 overtook that of Windows 7, according to Stat Counter.
Meltdown and Spectre made global headlines when they were publicized in January because of their sweeping security implications. Meltdown lets hackers get around a barrier between applications and computer memory to steal sensitive data, while Spectre spoofs applications into spilling key information.
How companies and agencies adapt to Meltdown and Spectre is becoming a case study in vulnerability response that could feature in future cybersecurity training courses. Patches have helped mitigate the potential damage, but their rollout to users has been anything but smooth. In February, Intel Executive Vice President Navin Shenoy told customers to skip a round of firmware updates meant to address Spectre because they caused computers to reboot.
Frisk said he hasn’t linked the new vulnerability to anything on the public list of Common Vulnerabilities and Exposures. He invited readers to test the vulnerability using an exploit kit he linked to on GitHub.
UPDATE, 3/30/17, 11:53 a.m.: This story has been updated to reflect Frisk’s discovery that Microsoft’s original March patch did not fully resolve the vulnerability. The latest patch issued by Microsoft on March 29, however, does fully address the vulnerability.