Researcher Ulf Frisk has created a proof-of-concept exploit demonstrating that Microsoft’s January Patch Tuesday update made security matters worse when it comes to memory vulnerabilities associated with Intel’s CPU bug Meltdown.

Fisk, a Swedish IT security expert, reported on Tuesday that Microsoft made a fatal mistake in January with a botched patch that allowed malicious apps or a local user to access protected kernel memory and steal passwords and personal information from Windows 7 (64-bit) and Server 2008 R2 machines. No other Windows OS version is impacted.

Microsoft corrected the error in its March Patch Tuesday update.

Microsoft’s January patch, the researcher said, “Stopped Meltdown but opened up a vulnerability way worse … It allowed any process to read the complete memory contents at gigabytes per second, oh – it was possible to write to arbitrary memory as well,” Fisk wrote in a technical break-down of his proof-of-concept exploit.

Fisk asserts Microsoft made an error where a single bit was erroneously set by the kernel in a CPU page table entry that was part of the patch. The mistake allowed normal programs read and write access to all of physical memory. A page table is defined as the data structure used by a virtual memory system in an OS to store the mapping between virtual addresses and physical addresses. Fisk also contends that Microsoft’s February Patch Tuesday update also contained the flaw.

“The User/Supervisor permission bit was set to User in the (Page Map Level 4) PML4 self-referencing entry. This made the page tables available to user mode code in every process. The page tables should normally only be accessible by the kernel itself,” he wrote.

According to Fisk, in Windows 7 the PML4 self-referencing is fixed at a set position of 0x1ED, offset 0xF68. “This means that the PML4 will always be mapped at the address: 0xFFFFF6FB7DBED000 in virtual memory. This is normally a memory address only made available to the kernel (Supervisor). Since the permission bit was erroneously set to User this meant the PML4 was mapped into every process and made available to code executing in user-mode,” he said.

With access to read/write page tables it’s easy for an app or local user to gain access to the complete physical memory, he said.

The patch fumble is the latest in a string of hiccups tied to fixing Intel’s Spectre and Meltdown CPU flaws.

In January, Microsoft was forced to disable Intel’s Spectre patch after there were reports of bugs that were causing unexpected system reboots and other problems. Microsoft’s revoking of the Spectre patch came days after Intel admitted in its Q4 2017 financial disclosure its CPU patches “may result in adverse performance, reboots, system instability, data loss or corruption, unpredictable system behavior, or the misappropriation of data by third parties.”

Microsoft did not reply to a request for comment for this report.

As for the latest reported bug, Fisk has made his proof-of-concept available via a PCILeech direct memory access attack toolkit, hosted on GitHub.

Source: ThreatPost

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!