Microsoft’s Out-of-Band Meltdown Patch

Monday, April 2, 2018 @ 12:04 PM gHale

Because of a serious privilege escalation vulnerability introduced earlier this year by Meltdown mitigations, Microsoft decided to release out-of-band updates for Windows 7 and Windows Server 2008 R2.

The Meltdown patch from January “stopped Meltdown but opened up a vulnerability way worse … It allowed any process to read the complete memory contents at gigabytes per second, oh – it was possible to write to arbitrary memory as well,” said researcher Ulf Frisk.

RELATED STORIES
Chromebooks Patched Against Spectre Variant 2
Intel Details Spectre, Meltdown Fixes; Future CPU Plans
More Microsoft Meltdown, Spectre Patches
ICS Spectre, Meltdown Update Part IV

Microsoft said last week a new patch has been released for Windows 7 x64 Service Pack 1 and Windows Server 2008 R2 x64 Service Pack 1 to fully resolve the Meltdown problem.

“Customers who apply the updates, or have automatic updates enabled, are protected.” a Microsoft spokesperson said.

The vulnerability, tracked as CVE-2018-1038 and rated “important,” has been patched with the KB4100480 update.

Users should install the update as soon as possible, Microsoft officials said because some researchers said the issues could end up leveraged by attackers.

“An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft said in an advisory.



Leave a Reply

You must be logged in to post a comment.