- Windows faces a further vulnerability as the latest update to the meltdown bug exposed further weaknesses in the Microsoft OS. Organizations need to make a further update to their endpoints and servers operating on Windows 7 and Windows 2008R2 to protect their healthcare networks.
The vulnerability was discovered by security researcher Ulf Frisk and introduced a kernel bug that will let any process, threatening or non-threatening, read and write anywhere in the kernel memory.
The January and February Windows patches were meant to combat the chip design vulnerability exposed by Meltdown and Spectre. These widespread cyberattacks are hardware-based and allow hackers to steal sensitive data from endpoint devices and servers.
Meltdown and Spectre take advantage of speculative execution, which is a predictive process many computers use to speed up common tasks. Instead of waiting for a command or event, the computer will perform certain tasks ahead of time to speed up the process.
When a computer predicts a task or event, and something out of the ordinary happens, the data is discarded. The data ends up in an unsecured part of the computer’s cache memory, which is vulnerable to side channel access.
Speculative execution dates back to when computers were more contained. The discarded data wasn’t seen as a risk and so it wasn’t secured.
Now that computers are networked and can be remotely accessed or connect to the cloud, this data is vulnerable. Hackers can take the data in the cache and also trick the computer into loading any data into the cache.
The patches released to protect computers and servers from attacks like Meltdown and Spectre were not set up correctly in the PLM4, which is a virtual-to-physical translator. This allows any user-mode application to access the kernel’s page tables.
“In short - the User/Supervisor permission bit was set to User in the PML4 self-referencing entry,” Frisk explained. “This made the page tables available to user mode code in every process. The page tables should normally only be accessible by the kernel itself.”
“The PML4 is the base of the 4-level in-memory page table hierarchy that the CPU Memory Management Unit (MMU) uses to translate the virtual addresses of a process into physical memory addresses in RAM.”
Frisk added that taking advantage of this vulnerability is relatively easy.
In Windows 7, the PLM4 is in a fixed position, always mapped at the same address in virtual memory. This memory address is only supposed to be available to the kernel. However, the update incorrectly set to user so the PLM4 is mapped into every process and can be available to code executing in user mode.
“Once read/write access has been gained to the page tables it will be trivially easy to gain access to the complete physical memory, unless it is additionally protected by Extended Page Tables (EPTs) used for Virtualization,” Frisk wrote. “All one has to do is to write their own Page Table Entries (PTEs) into the page tables to access arbitrary physical memory.”
Windows 7 x64 systems that were patched with the 2018-01 and 2018-02 patches are vulnerable. Organizations that have not patched their Windows systems since December 2017 or recently patched their systems with the 2018-03-29 patch or later will be secure from this vulnerability. Windows 8.1 and Windows 10 were not affected by this vulnerability.
When vendors release patches, it’s important for organizations to make updates in a timely fashion. Even though the patch that was meant to protect against one vulnerability created another, there is now a patch available to correct the error.
Cyberattackers only need one security hole in which to steal patient data and corrupt a network. Keeping track of patches for storage hardware is critical because unpatched hardware can lead to security holes.