Researcher Ulf Frisk has created a proof-of-concept exploit demonstrating that Microsoft’s January Patch Tuesday update made security matters worse when it comes to memory vulnerabilities associated with Intel’s CPU bug Meltdown.
Fisk, a Swedish IT security expert, reported on Tuesday that Microsoft made a fatal mistake in January with a botched patch that allowed malicious apps or a local user to access protected kernel memory and steal passwords and personal information from Windows 7 (64-bit) and Server 2008 R2 machines. No other Windows OS version is impacted.
Microsoft corrected the error in its March Patch Tuesday update. In a statement to Threatpost said:
“Microsoft is aware of this and looking into the matter further. This issue impacts Win7 SP1 (x64 only) and Server 2008R2 SP1 (x64 only). We are actively testing a solution, and will make it available as soon as it is properly validated.”
Microsoft’s January patch, the researcher said, “Stopped Meltdown but opened up a vulnerability way worse … It allowed any process to read the complete memory contents at gigabytes per second, oh – it was possible to write to arbitrary memory as well,” Fisk wrote in a technical break-down of his proof-of-concept exploit.
Fisk asserts Microsoft made an error where a single bit was erroneously set by the kernel in a CPU page table entry that was part of the patch. The mistake allowed normal programs read and write access to all of physical memory. A page table is defined as the data structure used by a virtual memory system in an OS to store the mapping between virtual addresses and physical addresses. Fisk also contends that Microsoft’s February Patch Tuesday update also contained the flaw.
“The User/Supervisor permission bit was set to User in the (Page Map Level 4) PML4 self-referencing entry. This made the page tables available to user mode code in every process. The page tables should normally only be accessible by the kernel itself,” he wrote.
According to Fisk, in Windows 7 the PML4 self-referencing is fixed at a set position of 0x1ED, offset 0xF68. “This means that the PML4 will always be mapped at the address: 0xFFFFF6FB7DBED000 in virtual memory. This is normally a memory address only made available to the kernel (Supervisor). Since the permission bit was erroneously set to User this meant the PML4 was mapped into every process and made available to code executing in user-mode,” he said.
With access to read/write page tables it’s easy for an app or local user to gain access to the complete physical memory, he said.
The patch fumble is the latest in a string of hiccups tied to fixing Intel’s Spectre and Meltdown CPU flaws.
In January, Microsoft was forced to disable Intel’s Spectre patch after there were reports of bugs that were causing unexpected system reboots and other problems. Microsoft’s revoking of the Spectre patch came days after Intel admitted in its Q4 2017 financial disclosure its CPU patches “may result in adverse performance, reboots, system instability, data loss or corruption, unpredictable system behavior, or the misappropriation of data by third parties.”
As for the latest reported bug, Fisk has made his proof-of-concept available via a PCILeech direct memory access attack toolkit, hosted on GitHub.
(This article was updated 3/28/2018 at 4:00 pm ET with a comment from Microsoft)