Microsoft released an out-of-band fix on Thursday for a Windows vulnerability introduced earlier this year as a patch. If exploited, the bug could allow an authenticated attacker to install programs, access stored data or create new accounts with full user rights on Windows 7 and Server 2008 R2 machines. No other Windows OS version is impacted.
The bad patch was delivered via Microsoft’s January Patch Tuesday update. The fix was meant to protect Windows’ system from memory vulnerabilities associated with Intel’s CPU bug Meltdown.
Researcher Ulf Frisk, credited for first identifying the flaw, said Microsoft’s botched patch “stopped Meltdown but opened up a vulnerability way worse … It allowed any process to read the complete memory contents at gigabytes per second, oh – it was possible to write to arbitrary memory as well.”
As part of his research, Frisk created a proof-of-concept exploiting the bug, publishing his findings in a technical break down.
“We released a security update for Windows 7 Service Pack 1 (x64) and Windows Server 2008 R2 Service Pack 1 (x64). Customers who apply the updates, or have automatic updates enabled, are protected,” Microsoft said in a statement Thursday.
Microsoft said the bug (CVE-2018-1038) is a Windows kernel elevation of privilege vulnerability. It said:
“An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
In order for an attacker to exploit this vulnerability they would first have to log on to the targeted PC and then run a “specially crafted” application to hijack the system, according to Microsoft. “The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory,” the advisory states.
Frisk had originally stated Microsoft’s March Patch Tuesday update corrected the issue. On Thursday, Frisk now says Microsoft’s March Patch Tuesday update did not fix the vulnerability. Frisk has made his proof-of-concept available via a PCILeech direct memory access attack toolkit, hosted on GitHub.