Microsoft’s Meltdown fix opened a gaping hole in Windows 7 security, warn researchers.
Meltdown and Specter are probably the worst vulnerabilities discovered in the history of computing. These two security flaws were made public earlier this year and affect virtually all modern processors to be related to the way in which the Kernel and the CPU communicate with each other, says an information security training researcher. In addition, the complexity of these vulnerabilities makes their solution very complicated, so much so that, at times, the corresponding patches open new security breaches in the operating systems, just as Windows 7 has just happened.
Microsoft’s first patches for Intel’s Meltdown CPU vulnerability created an even bigger problem in Windows 7 that allowed any unprivileged application to read kernel memory, states information security experts.
Microsoft’s January and February patches stopped the Meltdown bug that exposed passwords in protected memory, but information security training researcher Ulf Frisk has discovered that the patches introduced a far worse kernel bug, which allows any process to read and write anywhere in kernel memory.
Frisk says the vulnerability affects Windows 7 x64 and Windows 2008R2 with the January or February patches.
The two faulty patches wrongly set a bit in the virtual-to-physical-memory translator known as PLM4 to allow any user-mode application to access the kernel’s page tables, according to Frisk.
Intel’s CPU uses these page tables to translate the virtual memory of a process into physical memory. The correctly set bit would normally ensure the kernel has exclusive access to these tables.
“The User/Supervisor permission bit was set to User in the PML4 self-referencing entry. This made the page tables available to user mode code in every process. The page tables should normally only be accessible by the kernel itself,” he said. “The PML4 is the base of the 4-level in-memory page table hierarchy that the CPU Memory Management Unit (MMU) uses to translate the virtual addresses of a process into physical memory addresses in RAM.”
Also, the information security training professional says the bug would be “trivially easy” to use to access all physical memory on, due to the PML4 page table being located at a fixed memory address in Windows 7. This situation means an attacker will also be able to locate the Windows 7 page table that is now accessible by user-mode applications.
“Windows 7 already did the hard work of mapping in the required memory into every running process. Exploitation was just a matter of read and writes to already mapped in-process virtual memory,” writes Frisk. “Once read/write access has been gained to the page tables it will be trivially easy to gain access to the complete physical memory, unless it is additionally protected by Extended Page Tables (EPTs) used for Virtualization. All one [has] to do is to write own Page Table Entries (PTEs) into the page tables to access arbitrary physical memory.”
The information security training researcher Frisk advised all admins and users of Windows 7 and Windows 2008R2 to install Microsoft’s March patch to resolve it. Windows 10 and Windows 8.1 are unaffected.