Microsoft issues update to fix flaw in earlier Meltdown patch
Microsoft has issued an update that will fix a flaw, CVE-2018-1038, found in a previous patch that was issued to protect Windows 7 x64 or Windows Server 2008 R2 x64 systems from the Meltdown vulnerability.
The company said that when the original patch is installed on either of these two systems an unprivileged process may be able to read and write the entire memory space available to the Windows kernel. This is because the first patch, which was released in January 2018, “incorrectly sets the permission bit for memory accessible from unprivileged user space. As a result, such platforms that have the meltdown patch installed,” U.S. CERT wrote in its advisory.
This could result in an attacker having the ability to run code on an affected platform as an unprivileged user allowing that person to read from and write to the entire contents of system memory.
Meltdown, and its related vulnerability Spectre, are flaws in many modern processors that allow side-channel attacks.
“Both Spectre and Meltdown take advantage of the ability to extract information from instructions that have executed on a CPU using the CPU cache as a side-channel,” according to KB CERT.
Source | scmagazine