[German]Microsoft’s Meltdown security patches released since January 2018 has created a new vulnerability called Total Meltdown in Windows 7 and Windows Server 2008 R2. Now somebody has released exploit code on GitHub to exploit this vulnerability. Here is an attempt to classify and sort a few things.
What is Total Meltdown?
The updates provided by Microsoft to close the meltdown vulnerability open another security hole called Total Meltdown on Windows 7 and Windows Server 2008 R2. I’ve described the problem in late March 2018 in the blog post Windows 7 Jan./Feb. 2018 patches opens Total Meltdown vulnerability.
This allows any process under Windows 7 to read and write to any memory area without exploits. Utilization only requires simple read and write operations on the already mapped virtual memory. Ulf Frisk draws attention to this in his blog entry Total Meltdown. Also the March 2018 patches did not change this vulnerability, as Ulf Frisk added in his blog post.
Microsoft’s attempts to fix this issue
Woody Leonhard has it at askwoody.com, the following list of security updates has been released to fix the Meltdown vulnerarbility.
- KB 4056894 Win7/Server 2008 R2 January Monthly Rollup.
- KB 4056897 Win7/Server 2008 R2 January Security-only patch.
- KB 4073578 Hotfix for “Unbootable state for AMD devices in Windows 7 SP1. and Windows Server 2008 R2 SP1” bug installed in the January Monthly Rollup and Security-only patches.
- KB 4057400 Win7/Server 2008 R2 Preview of the February Monthly Rollup.
- KB 4074598 Win7/Server 2008 R2 February Monthly Rollup.
- KB 4074587 Win7/Server 2008 R2 February Security-only patch.
- KB 4075211 Win7/Server 2008 R2 Preview of the March Monthly Rollup.
- KB 4091290 Hotfix for “smart card based operations fail with error with SCARD_E_NO_SERVICE” bug installed in the February Monthly Rollup.
- KB 4088875 Win7/Server 2008 R2 March Monthly Rollup.
- KB 4088878 Win7/Server 2008 R2 March Security-only patch.
- KB 4088881 Win7/Server 2008 R2 Preview of April Monthly Rollup.
These updates are causing the Total Meltdown security issue.
Total Meltdown Exploit released
Hacker and InfoSec Researcher xpn has released the exploit code for CVE-2018-1038.c on Github. A broader discussion has been published here by xpn. All the information needed to attack systems running Windows 7 and Windows Server 2008 / R2 is now available, as Woody Leonhard just mentioned on askwoody.com.
What can we do?
Microsoft has released a security update on March 29, 2018 to fix Total Meltdown vulnerability (see Update KB4100480 for Windows 7/Server 2008 R2 (03/29/2018)). But this update is causing issues (see here and here). On April 10, 2018 a Windows-Kernel-Update for CVE-2018-1038 for Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1, to close Total Meltdown, has been released.
But there are issues with these updates …
Update KB4093118 (see blog post Patchday: Updates for Windows 7/8.1/Server April 2018) is causing an install loop on several machines (especially Windows Server 2008 R2). And there is a SMB memory leak. I’ve mentioned that within my blog post Microsoft April 2018 patchday issues.
So many users hides these updates to avoid the issues mentioned above. If you hide update KB4093118, you are not protected against Total Meltdown.
Tip: Within my blog post Microsoft April 2018 patchday issues I’ve mentioned, that uninstalling update KB4093113 (RollUp), which is causing the install loop, may fix the isue. So you are able to install update KB4093118.
Woody Leonhard gives this advices to protect Windows 7 SP1 and Windows Server 2008 R2.
- Download security only update KB4093108 from April 7, 2018 from Microsoft Update Catalog and install it manually.
- Install Monthly Quality Update KB4093118 from April 23, 2017 (if that is possible).
Woody Leonhard advises to make a backup before installing the updates to be able to reset the system in case of problems. Is the installation of the above updates not possible due to known bugs or installation problems? MVP colleague Susan Bradley suggests the last possibility here: Reset the machine so far that no more January 2018 updates are installed. Only people who are running Windows 8.1 or Windows 10 or their server counterparts are not affected.