Early fixes for Intel’s Meltdown vulnerability allowed read/write access to all memory

As it turns out, Microsoft’s early patches for Intel’s Meltdown vulnerability created even worse security issues for Windows 7 and Server 2008 R2 users.

Early fixes for Meltdown enabled read/write access to the kernel memory, allowing hackers to gain complete access over the system, according to Swedish researcher Ulf Frisk.

Microsoft rolled out the patches back in January and February to address the Meltdown bug. Unfortunately, the initial version of these patches created more problems than it solved.

The flaw, dubbed Total Meltdown, allowed files to be both readable and writable – meaning that malware or other logged-in users can manipulate it.

This could allow a local unprivileged user to gain elevated privileges and steal or modify any data stored in RAM.

The infamous Meltdown and Spectre exploits take advantage of flaws related to ‘speculative execution’, a feature on modern CPUs that helps boost performance by carrying out tasks ahead of time. 

According to researchers, a security loophole allowed unprivileged applications to not only monitor these tasks, which are held in the processor’s cache, but ultimately gain access to full system memory, potentially compromising passwords, encrypted communications, and financial information. 

Meltdown was a read-only flaw, and enabled kernel memory to be read at 120kb/s.

In contrast, Total Meltdown enabled hackers with read and write access, and was able to view complete system memory at a speed of gigabytes per second.

Frisk posted his findings online and included a proof-of-concept code.

He wrote: “Once read/write access has been gained to the page tables it will be trivially easy to gain access to the complete physical memory, unless it is additionally protected by Extended Page Tables (EPTs) used for Virtualization.

“All one [would] have to do is to write their own Page Table Entries (PTEs) into the page tables to access arbitrary physical memory.”

Frisk added: “Exploitation was just a matter of read and write to already mapped in-process virtual memory. No fancy APIs or syscalls required – just standard read and write!”

This OS flaw was patched in March’s Patch Tuesday update. 

Breakdown?

Researchers this week also unveiled a new side-channel attack method that targets Intel processors and is similar to Meltdown and Spectre.

The vulnerability, called BranchScope, can be exploited to allow a hacker to steal sensitive information, such as passwords or other data.

It was discovered by researchers from the College of William & Mary, University of California Riverside, Carnegie Mellon University in Qatar, and Binghamton University and cannot be mitigated by the recent Spectre and Meltdown patches.

BranchScope manipulates the branch predictor to potentially access data from the memory of the processor chip.