Windows 7 Suffers ‘Total Meltdown’ Thanks To Microsoft’s Meltdown Patch

As if the Meltdown and Spectre CPU flaws weren’t bad enough on their own, Microsoft was somehow able to make the flaw even worse on Windows 7. According to Swedish security researcher Ulf Frisk, the fix that Microsoft provided to Windows 7 computers for the Meltdown flaw, which could allow attackers to read kernel memory at a speed of 120 KB/s, would now allow attackers to read the same kernel memory with a speed of gigabytes per second.

“Total Meltdown”

Frisk called the new vulnerability, which Microsoft introduced on Windows 7 machines while trying to fix the Meltdown flaw, “Total Meltdown.” The new bug allows any process to read the complete memory contents of the system, and it also makes it possible to write code to arbitrary memory, too.

According to Frisk, no special attack or technique was needed. All he had to do was take advantage of Windows 7’s mapping of memory contents that belong to running processes.

The main issue and mistake made by Microsoft is that the company set the PML4 page table permission bit to User instead of the kernel Supervisor. This made it so the memory that would normally be assigned to the kernel be assigned to every process, including those running with user-level privileges. The PML4 is the base of the 4-level in-memory page table hierarchy that the CPU Memory Management Unit (MMU) uses to translate the virtual addresses of a process into physical memory addresses in RAM.

A vulnerable system is “exploited” and the running processes are mounted with PCILeech. Process memory maps and PML4 are accessed.
In Windows 10, the PML4 is mapped to a random address, while in Windows 7 and Windows Server 2008 R2 the PML4 is always mapped to the fixed address 0xFFFFF6FB7DBED000 in virtual memory. The PML4 doesn’t exist in 32-bit versions of Windows, so these versions have been unaffected by this flaw.

Frisk said that:

Once read/write access has been gained to the page tables it will be trivially easy to gain access to the complete physical memory, unless it is additionally protected by Extended Page Tables (EPTs) used for Virtualization. All one have to do is to write their own Page Table Entries (PTEs) into the page tables to access arbitrary physical memory.

Frisk also noted that Microsoft has already issued a fix for this bug earlier this month, after he alerted the company about it.

Patching In A Rush

Although Microsoft seems to have been one of the few companies that knew about Meltdown and Spectre earlier than the general public, it seems that the company was still able to bungle the release of the patches by rushing to fix the vulnerabilities as soon as possible.

Frisk’s revelation comes after Intel also botched the release of the Spectre variant 2 patch, which caused some rebooting issues for its customers. Microsoft and OEMs had to recall the patch for Windows machines. Microsoft’s Meltdown and Spectre patches also caused some rebooting issues for older AMD systems, but the company blamed AMD on poor documentation.