14 DAY TRIAL // Earlier this month, it was disclosed that Microsoft’s Windows 10 patch for the Meltdown vulnerability came with a bug that allowed potential attackers to disable the mitigations.
Security researcher Alex Ionescu described the issue as a “fatal flaw,” explaining that it was already fixed in the April 2018 Update whose rollout started on April 30 as a manual download.
And as it turned out, Microsoft moved blazing fast to address the problem in Windows 10 Fall Creators Update, and this month’s Patch Tuesday rollout included a fix for this bug.
The Fall Creators Update, also known as version 1709, was the only Windows 10 version left open to attacks as the vulnerable API was introduced with this release.
“Incredible turnaround by @msftsecresponse to fix this issue (which only affected Fall Creators Update due to this API being introduced in 1709) in today’s Patch Tuesday. Customers on 1709 now protected just like on 1803, so not back porting was an oversight now addressed,” Ionescu said in a May 9 tweet.
Flaw now gone
This means that the so-called fatal flaw no longer exists in Windows 10, as both affected versions have already been patched.
Microsoft hasn’t detailed the patch, but it’s included in the most recent cumulative update for Windows 10 Fall Creators Update labeled as KB4103727. This includes security fixes for Windows 10 and the built-in apps, like Microsoft Edge and Internet Explorer browsers, Device Guard, Windows kernel, Microsoft Graphics component, and Windows storage and filesystems.
Microsoft has rolled out several updates to mitigate Meltdown and Spectre vulnerabilities since their public disclosure in early January and installing these fixes and the latest cumulative update can be done via Windows Update. Deploying the most recent cumulative update for Windows 10 brings a system fully up-to-date, as it contains all the previously-released fixes plus every month’s patches.