Skip to main content

Microsoft’s Windows 7 Meltdown update granted access to all data in memory

Security researcher Ulf Frisk reports that patches to address the Meltdown processor flaw on Windows 7 (64-bit) and Windows Server 2008 R2 machines created a far greater vulnerability. He claims the new flaw allows any process to read everything stored in memory “at gigabytes per second.” It also allows processes to write to arbitrary memory without “fancy exploits.” 

“Windows 7 already did the hard work of mapping in the required memory into every running process,” Frisk states. “Exploitation was just a matter of read and write to already mapped in-process virtual memory. No fancy APIs or system calls required — just standard read and write!” 

Recommended Videos

Because of the amount of data stored in memory is rather large and complex, Windows PCs track data using addresses listed on virtual and physical “maps” or “pages.”  The reported problem resides with a four-level in-memory page table hierarchy the processor’s Memory Management Unit uses to translate the virtual addresses of data into physical addresses stored in the system memory. 

According to Frisk, Windows 7 and Windows Server 2008 R2 have a self-referencing entry on Page Map Level 4 (PML4) in virtual memory with a fixed address. This address is only made available to the operating system’s lowest, most secure level: The kernel. Only processes with a “supervisor” permission have access to this address and the data on this table. 

But Microsoft’s Meltdown patches released at the beginning of 2018 set the permission to “user.” That means all processes and applications can access all data stored in memory, even data only meant to be used by the operating system. 

“Once read/write access has been gained to the page tables it will be trivially easy to gain access to the complete physical memory, unless it is additionally protected by Extended Page Tables (EPTs) used for Virtualization,” Frisk writes. “All one has to do is to write their own Page Table Entries (PTEs) into the page tables to access arbitrary physical memory.” 

To prove this discovery, Frisk added a technique to exploit the vulnerability — a memory acquisition device — in the PCLeech direct memory access toolkit. But if you’re trying to test the vulnerability on a Windows 7 or Windows Server 2008 R2 machine updated on March Patch Tuesday, you’re out of luck. Microsoft switched the PML4 permission back to “supervisor” as part of the company’s blanket of security fixes for the month. 

The memory problem surfaced after Microsoft distributed its Meltdown and Spectre security fixes in the January Patch Tuesday update. Windows 7 (64-bit) and Windows Server 2008 R2 machines with the February Patch Tuesday updates are also vulnerable. Devices with Windows 10 and Windows 8.1 are not vulnerable. 

That said, Windows 7 and Windows Server 2008 R2 devices owners are encouraged to update their machines with the most recent patches distributed in March. But Frisk notes that he discovered the vulnerability after Microsoft’s March Patch Tuesday update, and has not been able to “correlate the vulnerability to known CVEs or other known issues.” 

Kevin Parrish
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
Apple loses AI whiz to Meta with an offer that will make your eyes water
Meta AI widget on Home Screen.

It was just last month that OpenAI boss Sam Altman claimed that Meta had been trying to poach his top AI engineers by offering hiring bonuses of as much as $100 million.

There was renewed interest in the matter earlier this week when it emerged that Ruoming Pang, an esteemed AI engineer who oversaw Apple’s AI models, had jumped ship to Meta.

Read more
I found the best Prime Day deal on a tablet hidden beyond Amazon
Microsoft Surface Pro 12-inch, stylus, and keyboard.

A good tablet can take your productivity to the next level, but a boring one will find a niche use and eat dust on a table or couch for most of its time. I love iPads and have been pushing them – as far as I can — to act as my primary computing machine for nearly half a decade now. It has never managed to replace a proper laptop, like a MacBook Air or a Windows machine. 

Why not buy a Windows laptop, you might ask? Well, Windows-powered tablets, especially those Surface devices sold by Microsoft, are pretty expensive. I love the new 12-inch Surface Pro, but at $799, it felt like a steep purchase despite its impressive specifications. 

Read more
Prime Day is over, but this powerful Dell laptop is still at its lowest price
The Dell Vostro 3530 laptop on a white background.

Prime Day is already over, but that doesn't mean that there are no more laptop deals for you to shop on Amazon. Here's one that caught our eye -- the Dell Vostro 3530 with 32GB of RAM for its lowest-ever price of $649, following a 28% discount on its original price of $899. This limited-time offer of $250 off may not last much longer though, so if you want to take advantage of this bargain, we highly recommend that you finalize your purchase for this device as soon as you can.

Buy Now

Read more