Security

Total Meltdown: How Microsoft's Meltdown patch created an even bigger flaw for hackers

The vulnerability affects Windows 7 and Windows Server 2008 R2, and gives complete memory access to hackers.

Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • A programming oversight granted user-level applications full read/write access at native speeds, without using access tricks.
  • The issue, since patched, affected x86-64 versions Windows 7 and Server 2007 R2 on the January or February 2018 patch cycle.

A vulnerability introduced in Windows 7 by Microsoft as part of their attempts to patch the much-publicized Meltdown vulnerability was recently disclosed by Swedish security researcher Ulf Frisk in a blog post. In contrast to Meltdown, which was measured by the original researchers as being able to read kernel memory at around 120 KB/s, the newly-disclosed "Total Meltdown" vulnerability allows malicious programs to read complete system memory at speeds of gigabytes per second.

To make matters worse, it also gives complete write access to hackers, whereas the original Meltdown vulnerability was read-only, the post said. This vulnerability exists due to a programming oversight in the handling of memory mirroring for the virtual memory address space assigned when a program runs. The PML4 page table permission bit was incorrectly set to "user" instead of "supervisor." As a result, memory that should only be accessible to the kernel was automatically mapped for every process running at user-level privileges.

In Windows 7, and Windows Server 2008 R2 (which shares the same version of the Windows kernel,) PML4 is always mapped to the address 0xFFFFF6FB7DBED000 in virtual memory, whereas Windows 10 randomizes the location of this data, the post noted. With the address known, and capable of being manipulated normally without with the use of a particular programming trick, exploiting this oversight is trivial.

SEE: IT leader's guide to cyberattack recovery (Tech Pro Research)

According to Frisk, "Once read/write access has been gained to the page tables it will be trivially easy to gain access to the complete physical memory, unless it is additionally protected by Extended Page Tables (EPTs) used for Virtualization. All one have to do is to write their own Page Table Entries (PTEs) into the page tables to access arbitrary physical memory."

This issue is present in x86-64 versions Windows 7 and Windows Server 2008 R2 systems with the 2018-01 or 2018-02 set of patches. It was fixed in the 2018-03 patch set, but did not exist before this year, as the oversight was made during Microsoft's attempts to address the Spectre and Meltdown vulnerabilities. PML4 does not exist in 32-bit versions of Windows, so they are unaffected by this issue. As Windows 8 and newer versions randomize the location of PML4, they are also not affected.

Due to the wide-ranging effects of the Meltdown and Spectre vulnerabilities, hardware and software vendors have been sprinting to deliver patches to mitigate risk as much as is possible. These patches have been at times problematic—leading to unbootable systems and unexpected reboots—though now patches exist for affected Intel and AMD processors. As speculative execution side-channel attacks are a relatively new paradigm for security researchers to investigate, additional iterations of patches to completely eliminate the attack surface are likely to be distributed for years to come.

Of particular note, organizations still using Windows 7 or Windows Server 2008 R2 should begin investigating upgrade paths. Windows 7 is presently 8 years and 8 months old, and extended support is scheduled to end in January 2020, just short of two years from now.

Also see

hacker.jpg
Image: iStockphoto/ValeryBrozhinsky

About James Sanders

James Sanders is a Tokyo-based programmer and technology journalist. Since 2013, he has been a regular contributor to TechRepublic and Tech Pro Research.

Editor's Picks

Free Newsletters, In your Inbox