Video: Meltdown-Spectre attack variants discovered.
Microsoft's early patches for Intel's Meltdown CPU vulnerability created an even bigger problem in Windows 7 that allowed any unprivileged application to read kernel memory.
Microsoft's January and February patches stopped the Meltdown bug that exposed passwords in protected memory, but security researcher Ulf Frisk has discovered[1] that the patches introduced a far worse kernel bug, which allows any process to read and write anywhere in kernel memory.
Frisk says the vulnerability affects Windows 7 x64 and Windows 2008R2 with the January or February patches.
According to Frisk, the two faulty patches wrongly set a bit in the virtual-to-physical-memory translator known as PLM4 to allow any user-mode application to access the kernel's page tables.
Intel's CPU uses these page tables to translate the virtual memory of a process into physical memory. The correctly set bit would normally ensure the kernel has exclusive access to these tables.
"In short -- the User/Supervisor permission bit was set to User in the PML4 self-referencing entry. This made the page tables available to user mode code in every process. The page tables should normally only be accessible by the kernel itself," he explains.
"The PML4 is the base of the 4-level in-memory page table hierarchy that the CPU Memory Management Unit (MMU) uses to translate the virtual addresses of a process into physical memory addresses in RAM."
Also, Frisk says the bug would be "trivially easy" to use to access all physical memory on, due to the PML4 page table being located at a fixed memory address in Windows 7. This situation means an attacker will also be able to locate the Windows 7 page table that is now accessible by user-mode