Meltdown bug fix led to even bigger leak on Windows 7 and Server 2008 R2

Windows 7 x64 systems have been found to be severely vulnerable as a result of Microsoft’s January and February Meltdown patches. According to a security researcher, the patches introduced a kernel memory leak. Windows Server 2008 R2 also appears to be susceptible.

The patches meant that the memory of Windows 7 x64 and Windows Server 2008 R2 systems could be read without the need for exploits, APIs or syscalls, writes security expert Ulf Frisk. According to him, the patches added user-level permissions to the page map level 4 hierarchy, which is used by the memory management unit to translate virtual memory addresses to physical addresses in RAM.

The result was that the pagetables were accessible by anyone within Windows 7 x64 and Windows Server 2008 R2. It also turned out to be possible to write to the memory. According to Frisk, this makes it easy to do a complete memory dump and as a proof-of-concept he has added the technique to his DMA attack toolkit PCILeech.

Frisk emphasizes that Windows 10 and Windows 8.1 are not affected by the bug and that Microsoft has closed the leak with the March patch. That patch caused problems for many users because it overwritten the settings of the virtual network interface card, or vNIC. Microsoft reports in the notes of the March 13 patch that it is aware of the problems and that it will address them with an upcoming update. Windows 7 and Server 2008 R2 users who have implemented the January and February updates, but not the March 13 patch, are vulnerable.

Example of accessing PML4 via PCILeech