Ulf Frisk, a cybersecurity researcher, has discovered a vulnerability in Microsoft’s early patches for Meltdown that could lead to even bigger problems – allowing an unprivileged application to read kernel memory.
Worse yet, an unprivileged application could even write to that memory. According to Frisk, Windows 7 x64 and Windows 2008R2 users with the January or February set of patches are affected.
Furthermore, any user-mode application could also access the kernel’s page tables. This is important because Intel’s CPU uses these tables to translate the virtual memory of a process into physical memory.
Frisk commented that the vulnerability could easily be taken advantage of to access all physical memory. In technical terms, an attacker could locate the Windows 7 page table that only user-mode applications can access now.
To further elaborate, Frisk explained that Windows 7 did an important job of mapping in the required memory for every process running on the computer. Exploiting it means being able to read and write to processes that are already mapped.
Assigning read/write permissions to page tables means making it trivially easy to access the entire physical memory on demand. Unless, of course, it’s protected by the Extended Page Tables used for Virtualisation. The only thing that remains to be done is to write new Page Table Entries into the page tables in order to access arbitrary physical memory.
As previously stated, only Windows 7 x64 and Windows 2008R2 users are affected by this. Windows 8.1 and Windows 10 users do not need to worry.