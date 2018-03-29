JUST WHEN YOU THOUGHT Intel was bad at security, Microsoft has gone and proven it's not much better by releasing borked security fixes for the Meltdown processor vulnerability, which have apparently caused even bigger security holes on Windows machines.

According to security researcher Ulf Frisk, Microsoft's bug patches for Meltdown, released in January and aimed at 64-bit Windows 7 and Server 2008 R2 machines, actually opened up a vulnerability "way worse".



Frisk explained that while the patch stopped Meltdown, it allowed any process to read the complete memory contents at "gigabytes per second". It was also possible to write to arbitrary memory as well.

All that sounds a lot worse than Meltdown itself.

"No fancy exploits were needed," Frisk said on a blog post. "Windows 7 already did the hard work of mapping in the required memory into every running process. Exploitation was just a matter of read and write to already mapped in-process virtual memory. No fancy APIs or syscalls required - just standard read and write!"

So how is this possible? Frisk explained that in short, the User/Supervisor permission bit was set to User in the PML4 self-referencing entry.



"This made the page tables available to user mode code in every process. The page tables should normally only be accessible by the kernel itself," he said.



Only Windows 7 x64 systems patched with the 2018-01 or 2018-02 patches are vulnerable to this security hole though, so if your system isn't patched since December 2017 or if it's patched with the 2018-03 patches or later, it will be secure.

Other Windows versions, such as Windows 10 or 8.1, are completely secure with regards to this issue, Frisk said.

"I discovered this vulnerability just after it had been patched in the 2018-03 Patch Tuesday. I have not been able to correlate the vulnerability to known CVEs or other known issues," he added. µ