Microsoft Fixes Bad Patch That Left Windows 7, Server 2008 Open to Attack

Microsoft released an out-of-band security update that corrected a faulty patch that left Windows 7 and Windows Server 2008 open to attack.

Microsoft released an out-of-band fix on Thursday for a Windows vulnerability introduced earlier this year as a patch. If exploited, the bug could allow an authenticated attacker to install programs, access stored data or create new accounts with full user rights on Windows 7 and Server 2008 R2 machines. No other Windows OS version is impacted.

The bad patch was delivered via Microsoft’s January Patch Tuesday update. The fix was meant to protect Windows’ system from memory vulnerabilities associated with Intel’s CPU bug Meltdown.

Researcher Ulf Frisk, credited for first identifying the flaw, said Microsoft’s botched patch “stopped Meltdown but opened up a vulnerability way worse … It allowed any process to read the complete memory contents at gigabytes per second, oh – it was possible to write to arbitrary memory as well.”

As part of his research, Frisk created a proof-of-concept exploiting the bug, publishing his findings in a technical  break down.

“We released a security update for Windows 7 Service Pack 1 (x64) and Windows Server 2008 R2 Service Pack 1 (x64). Customers who apply the updates, or have automatic updates enabled, are protected,” Microsoft said in a statement Thursday.

Microsoft said the bug (CVE-2018-1038) is a Windows kernel elevation of privilege vulnerability. It said:

“An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

In order for an attacker to exploit this vulnerability they would first have to log on to the targeted PC and then run a “specially crafted” application to hijack the system, according to Microsoft. “The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory,” the advisory states.

Frisk had originally stated Microsoft’s March Patch Tuesday update corrected the issue. On Thursday, Frisk now says Microsoft’s March Patch Tuesday update did not fix the vulnerability. Frisk has made his proof-of-concept available via a PCILeech direct memory access attack toolkit, hosted on GitHub.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.