Microsoft’s updates for the Meltdown microprocessor mega-flaw inadvertently left users running Windows 7 64-bit systems open to a “way worse” flaw, a researcher has claimed.
To recap, Meltdown (aka F**CKWIT or CVE-2017-5754) is a proof-of-concept hardware vulnerability uncovered almost simultaneously by several groups of researchers through which an attacker could access the contents of kernel memory (passwords, encryption keys, say) from the part used by ordinary applications.
An extremely inviting target for any attacker, which is why Microsoft sprang into action to mitigate the vulnerability (in addition to BIOS updates from vendors) across different Windows versions in two rounds of updates in January and February.
But according to Ulf Frisk, something went awry starting with the January update when applied to Windows 7 and Windows Server 2008 R2, which miss-set controlling permissions for something called the Page Map Level 4 (PML4).
This is a table used by Intel microprocessors to “translate the virtual addresses of a process into physical memory addresses in RAM.”
Set correctly, only the kernel should be able to access this table. The result of the issue is that an attacker aware of the flaw would have the ability to break out of the application space and take over a system.
All this from a simple software mistake:
No fancy exploits were needed. Windows 7 already did the hard work of mapping in the required memory into every running process. Exploitation was just a matter of read and write to already mapped in-process virtual memory. No fancy APIs or syscalls required – just standard read and write!
How should Windows users react?
According to Frisk, Microsoft’s March update patched the problem, so if you are up to date then the newly-introduced PML4 bug has now been removed.
Only Windows 7 x64 systems that received the January and/or February updates were affected:
Other Windows versions – such as Windows 10 or 8.1 are completely secure with regards to this issue and have never been affected by it.
It’s not often that a security update makes a system more vulnerable than it was before its application, but that appears to be the bottom line with this one.
First came the mitigation for the flaw, which created a new and separate flaw, which required a new fix to patch the fix.
This brings home how difficult it can be to either mitigate or fully patch security flaws that have their origin in the way hardware was designed anything up to two decades ago.
These flaws exist at such a low level that even a small mistake can open another vulnerability.
Not to mention that emboldened researchers are now poking around at this level looking for new vulnerabilities and oversights, resulting in a trickle of new proof-of-concepts with a side channel theme.
Pushing mitigations and patches that don’t slow down microprocessors or create new problems while fending off inquisitive researchers is putting Microsoft, Intel and other big vendors outside their comfort zone.
Baffled users look on and wonder what it all means. As far as 2018 is concerned, the answer is most likely a lot more work and unpredictability.
For a definitive explanation of these vulnerabilities and why they matter, read our take on Meltdown and Spectre.
And make sure to apply the latest patches from Microsoft – like we always say, Patch Early, Patch Often.
a79z
I’m very confused by this sentence, is something missing? — According to Frisk, Microsoft’s March update patched the problem which means that only Windows 7 x64 systems that received the January and/or February updates are affected.
My X64 system has all the updates Jan Feb and March installed. Does this mean it is safe or am I supposed to uninstall the January and February updates?
Paul Ducklin
I’ve reworded it for clarity.
In full:
Patched to Dec 2017: no PML4 bug, but no Meltdown/Spectre fixes either
Patched to Jan 2018: Meltdown/Spectre fixes applied, PML4 bug introduced
Patched to Feb 2018: Meltdown/Spectre fixes applied, PML4 bug introduced
Patched to Mar 2018: Meltdown/Spectre fixes applied, PML4 bug removed
AFAIK, each month’s patches supersede the previous ones, so you don’t have to uninstall anything. (f you did this then who knows what else might go missing at the same time?)
John E Dunn
Apologies for the confusion – it was meant to convey that any Windows 7 x64 user who has received the March update is *not* affected. Windows updates are cumulative so you wouldn’t normally de-install a previous update.
H Davis
I have Win 7 and was presented with the March Quality rollup on 3/13/18 (kb4088875). Before I got to install it, it was recalled (it disappeared from my list). Today I checked again and it’s back as of 3/23/18 as optional update: 2018-03 Preview of Monthly Quality Roll up for Windows 7 for x64-based Systems (KB4088881). Why a new KB number and why optional????
John E Dunn
The first update (KB4088875) relates to security while the later (KB4088881) is for performance and other fixes, hence the different numbers.
Not sure why KB4088875 would have disappeared or become optional but if you’re running Windows 7 on Intel Microsoft’s advice is to apply it to address Meltdown/Spectre vulnerabilities.
a79z
Thanks a million for the explanation and rewording Paul.
Iudith Mentzel
Hello All,
@John E.Dunn, in your last post you say that ” if you’re running Windows 7 on Intel Microsoft’s advice is to apply it to address Meltdown/Spectre vulnerabilities.”>
I received KB4088875 on *BOTH* Intel and AMD machines as Important Updates, and, as usual,
I installed it on all of them, but it caused the AMD machine to get stuck during the restart,
while for the Intel machines it worked fine.
For rebooting the AMD machine I had to stop the restart in the middle, go through CHKDSK
cycles and so on until everything worked fine and all the updates are reported and installed successfully.
But, since this happened, the AMD machine DOES NOT receive any more automatic updates for Windows , except for Windows Defender updates.
There were 2 updates since then, KB4088881 on March 23 and KB4100480 on March 30
and they were presented only on the Intel machines, and NOT on the AMD machine.
Is this expected behavior ?
There is a lot of ambiguous information on the web regarding these updates,
whether they are needed or not, whether they are harmful of not, and so on.
It looks like we really cannot rely on Microsoft … and I hear that many people take the decision
to stop applying Microsoft patches at all …
Thanks a lot in advance for any clarification regarding this issue :)
Best Regards,
Iudith Mentzel
John E Dunn
The AMD update problem you mention is best addressed to Microsoft support. Any suggestion we offered would be speculation at best.
As for updates, while it’s true they can occasionally cause issues, opting out of them altogether is a bad idea that will lead your PCs exposed. The best advice is always to install security updates.
Iudith Mentzel
Hello,
I basically agree with you, though, as the last applied update KB4088875 does prove, in this case it would have been far better NOT to apply it and not get my machine irreversible stuck …
As you know, Microsoft support does not effectively exist for private users … and many of their Windows7 help pages were replaced with other contents since Windows 10 appeared …
The problem of applying further updates has become one of lack of confidence, because if one update did stuck your machine, no one can guarantee that the further ones would not have the same effect or worse …
In my opinion, not applying a security update is far less dangerous than completely damaging a working OS …
Thanks a lot & best Regards,
Iudith