Researcher: January Meltdown Patch Opened Worse Vulnerability in Windows 7
Security patches from January to protect Windows 7 from Meltdown opened up a different, gaping security flaw in the way the operating system protected memory, according to a security researcher who specializes in direct memory access (DMA) attacks.
Ulf Frisk revealed the vulnerability on Tuesday on his personal blog in a post called "Total Meltdown?" The patch was intended to address the Meltdown flaw in Intel, IBM POWER and ARM-based processors that emerged in January and theoretically allows a rogue process to read all memory on a system.
"[The patch] stopped Meltdown but opened up a vulnerability way worse...It allowed any process to read the complete memory contents at gigabytes per second, oh -- it was possible to write to arbitrary memory as well," wrote Frisk, who is the author of the PCILeech memory access attack toolkit, and who described himself in a DEFCON 24 presentation in 2016 as a penetration tester specializing in online banking security and working in Stockholm, Sweden.
"No fancy exploits were needed. Windows 7 already did the hard work of mapping in the required memory into every running process. Exploitation was just a matter of read and write to already mapped in-process virtual memory. No fancy APIs or syscalls required -- just standard read and write," Frisk said.
The flaw does not affect Windows 10 or Windows 8, according to Frisk.
The problem appears to have been introduced by the Windows 7 patches released in January, during the industrywide scramble to address the Meltdown and related Spectre flaws whose existence was revealed slightly ahead of schedule. Some of the first-generation patches caused reboot and slowdown issues, among other problems.
Frisk said the subsequent March patch for Windows 7 fixed the flaw, and he discovered the problem after the March patch was released.
Posted by Scott Bekker on 03/27/2018 at 10:27 AM