“No fancy exploits are needed,” researcher explains

Mar 28, 2018 07:53 GMT  ·  By

Microsoft rolled out Meltdown and Spectre vulnerability patches in January for all supported Windows versions, including Windows 7, and even though further mitigations landed shortly after that, it looks like the original fix opened the door for a different kind of exploits.

Security researcher Ulf Frisk has discovered that Microsoft’s Meltdown security patch for Windows 7 and Windows Server 2008 R2 allowed normal processes to be granted full read and write access to the physical memory. This means that whoever managed to exploit the flaw would have obtained administrator privileges on vulnerable machines.

The technical analysis of the bug and the proof-of-concept exploit posted on Frisk’s blog reveal that taking advantage of the bug was not at all a complex process.

“No fancy exploits were needed. Windows 7 already did the hard work of mapping in the required memory into every running process. Exploitation was just a matter of read and write to already mapped in-process virtual memory. No fancy APIs or syscalls required - just standard read and write!” he posted.

Windows 8.1 and Windows 10 fully secure

The bug, which was caused by the January Meltdown patch for Windows 7 and Windows Server 2008 R2, was addressed by Microsoft with the March 2018 Patch Tuesday rollout. This means that only computers running the January and the February patches are vulnerable, while those who haven’t installed any new updates after December 2017 are secure. Also, up-to-date machines where this month’s security fixes have already been deployed are protected as well.

All the other Windows versions, including here Windows 8.1 and Windows 10, are also secure because the Meltdown patch hasn’t caused the same vulnerability.

“I'm just so very surprised it went unnoticed by everyone but Microsoft for almost 3 months,” Ulf Frisk explained in a tweet.

It goes without saying that Windows 7 systems need to deploy the most recent patches to be protected, especially if they’re running the January or February updates.