Security

Hackers can bypass Windows Meltdown patch, and early builds may be at risk

Microsoft's Spectre/Meltdown patches for Windows 10 could be completely bypassed, and only users with the April 2018 Update are protected.


Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • A newly discovered flaw in the Windows 10 patches against Spectre and Meltdown renders them completely useless through the use of the NtCallEnclave command, which returns the full kernel page table directory.
  • Microsoft fixed the flaw in the Windows 10 April 2018 Update but hasn't backported the patch to older Windows 10 systems yet. The exploit only applies to Windows 10 systems.

The patches that Microsoft issued to fix Spectre and Meltdown could be completely nullified by by calling a particular command, one analyst has found.

Security researcher Alex Ionescu of Crowdstrike said in a tweet that the flaw completely undermines the mitigation, rendering it useless. "Calling NtCallEnclave returned back to user space with the full kernel page table directory," Ionescu said.

Those who have installed the Windows 10 April 2018 Update are safe—the update fixes the problem. It's also unique to Windows 10, so those on older versions of Windows don't need to worry. If you're running Windows 10 and haven't installed the April 2018 Update you should get on that right away: Microsoft hasn't released a backport yet.

A useless fix

Spectre and Meltdown are a pair of vulnerabilities that affect nearly every single processor in the world. The two exploits allow an attacker to bypass most kinds of system security in order to read sensitive data stored in the computer's kernel memory.

The patches issued by Microsoft should have stopped that information from being accessible from the user side of a Windows system, but in this case they didn't. All an attacker needs to do is find a way to run the NtCallEnclave command and they get instant access to the kernel page table directory, which contains all the sensitive information the patch should have protected.

SEE: Windows 10 spotlight: Prepare, repair, and recover (Tech Pro Research)

A Microsoft spokesperson told Bleeping Computer that it is planning backported patches for earlier versions of Windows 10, but the source didn't state when those would be available.

If you have a Windows 10 machine that is eligible for the April 2018 Update you should install it as soon as possible, and IT teams who are testing the update for full-scale rollout should accelerate their timetables to get the patch into users' hands ASAP.

If you have a Windows 10 computer that isn't eligible for the update be sure to keep your security software current to protect you from any malware that may try to take advantage of this newly revealed flaw.

Ionescu didn't state how exploitable the NtCallEnclave flaw is, but there's no reason to find out the hard way: Update today.

Also see

computer-ghost.jpg
Michael Borgers, Getty Images/iStockphoto

About Brandon Vigliarolo

Brandon writes about apps and software for TechRepublic. He's an award-winning feature writer who previously worked as an IT professional and served as an MP in the US Army.

Editor's Picks

Free Newsletters, In your Inbox