Microsoft’s January patch was released amidst claims of addressing the risks associated with attacks like Spectre and Meltdown to Windows-based systems. However, according to an independent Swedish security researcher Ulf Frisk, the patch has made security matters even more complicated especially regarding the memory vulnerabilities connected with Intel’s CPU bug Meltdown.
Frisk wrote a detailed blog post where he claimed that the January patch from Microsoft “stopped Meltdown but opened up a vulnerability way worse … It allowed any process to read the complete memory contents at gigabytes per second, oh – it was possible to write to arbitrary memory as well.”
Frisk has created a PoC (proof-of-concept) exploit to demonstrate that the security update is not as reliable as it is touted to be. Meltdown and Spectre have collectively managed to affect almost all modern day computer chips and have turned out to be nightmarish for chip developers.
Frisk states that the patches from Microsoft to address Meltdown chip flaw has created much serious vulnerability in Windows 7 OS. This flaw, which has been labeled as Total Meltdown, lets attackers read kernel memory and write their own memory quickly.
Moreover, Frisk explains that Microsoft-issued patches can allow attackers access every single user-level computing process that is running on the device. Meltdown can read kernel memory at a rate of 120 kb/s but Total Meltdown lets malicious programs to completely read system memory at a much faster rate (approx. at speeds of gigabytes/s). To worsen the matter, it provides the hacker(s) full write privilege, which was not the case with original Meltdown vulnerability as it was read-only.
Frisk believes that the primary cause behind the creation of Total Meltdown is programming oversight in handling memory mirroring mechanism, which gets assigned to virtual memory address when a program runs. Basically, the PML4 page table permission bit was mistakenly set to User while it should be set to Supervisor. Resultantly, memory gets automatically mapped to each and every process that runs at user-level privilege instead of remaining accessible by the kernel only.
Windows 7 and Windows Server 2008 R2 both share the same Windows kernel version; PML4 is always mapped in virtual memory at 0xFFFFF6FB7DBED000 but this data’s location gets randomized to Windows 10. As the address gets disclosed, it becomes quite easy for attackers to exploit this oversight without using any specific programming trick.
Frisk further added that when the read/write access is acquired by the page tables, it may get slightly easy to access full physical memory. It may not be the case if additional protection is ensured with Extended Page Tables for Virtualization.
“All one have to do is to write their own Page Table Entries (PTEs) into the page tables to access arbitrary physical memory,” wrote Frisk in his blog post.
Frisk has decided to not link Total Meltdown on any public list of Common Vulnerabilities and Exposures and wants readers to test it using the exploit kit he has uploaded to GitHub.
The vulnerability is found in x86-64 versions Windows 7 and Windows Server 2008 R2 systems whereas the 2018-01 or 2018-02 patches set have this issue. The 2018-03 patch was released to fix these patch sets but only after the oversight was created. Besides, PML is not present in 32-bit versions of MS Windows and hence, these versions remain unaffected while Windows 8 and newer versions are also unaffected as these randomize PML4 location.
Frisk states that to exploit the vulnerability, the attacker needs to gain a foothold in the computing system and when it is achieved, the system can be exploited without using any “fancy exploits.”
It is worth noting that the vulnerability has been identified in 64-bit versions of Windows 7 Services pack 1 and Windows Server 2008 Service Pack 1 (second release). Moreover, the systems that applied the patches issued by Microsoft in January and February are affected and those that used the March patch are safe.
Image credit: Depositphotos