2018 really started with a bang for those of us who report on cybersecurity: Meltdown was one of the major CPU vulnerabilities which became public knowledge right at the beginning of the year.
Here’s my vague explanation of Meltdown from January 5th:
“One of the cool things about modern CPUs is that they’re designed to do some speculative execution. By trying to prepare possible calculations that the CPU may need to execute ahead of time, your computer may be made more efficient. If you’re used to programming in languages like Python, you can think of it like the CPU has already figured out every ‘else’ and ‘elif’ for any ‘if’ that comes its way.
Unfortunately, speculative execution taxes the CPU a little bit, even if it has eight cores and loads of cache. Although speculative execution can greatly reduce the time to do some future calculations, it can make some earlier related calculations take longer. In that time, exploit code may be able to infer properties of different processes it otherwise wouldn’t have access to. The data leakage could involve any sort of sensitive data that goes through the CPU. That could include things like encryption keys, cleartext, and passwords. Meltdown affects most Intel x86-64 processors and some high-performance ARM processors.”
The Meltdown story is huge for two reasons.
One is the number of computing devices worldwide that were impacted by the vulnerability. Intel x86, some IBM POWER CPUs, and many ARM CPUs continue to be affected. That means pretty much everyone from the enterprise to institutions to ordinary consumers uses at least once device that’s vulnerable to the Meltdown exploit.
The second reason why the Meltdown news was huge is because of how fundamental the vulnerability is. Patching a vulnerability that purely exists in an application or an operating system is a lot of tremendous hard work. But depending on many variables, it’s more often than not completely fixable with some changes to the code.
But the CPU is the absolutely deepest component of any computer system. Computers can take many forms and a computer can be a computer without hard drives, displays, expansion buses, or memory in the form of RAM. But a computer cannot be a computer without some sort of central processing unit. The CPU really is the computer in its most fundamental form.
So, the fundamental nature of the Meltdown exploit is something that makes it incredibly difficult to mitigate. Meltdown was first publicly reported three months ago. Microsoft has worked very hard on patching the vulnerability for all affected currently supported versions of Windows, but the nightmare is far from over.
Total Meltdown
Meltdown, when unpatched, can leak data to a cyber attacker who exploits the vulnerability. The data is directly from kernel memory, and the leak is about 120 KB/s (kilobytes per second). Security researcher Ulf Frisk discovered that the patch Microsoft deployed for Windows 7 in January has created a new CPU vulnerability which can leak data at gigabytes per second.
So unpatched Windows 7 was a pipe that leaked in tiny dribbles, whereas the metaphorical duct tape Microsoft put around that leak caused it to gush out loads more water from another spot. Oops! And not only does the new vulnerability leak a lot more data to a malicious process, it can also be exploited to write to arbitrary memory.
A malicious process doesn’t need an API or a system call to exploit the new “Total Meltdown” vulnerability, only simple read and write activities are required. As far as Windows 7 is concerned, Total Meltdown is way worse than Meltdown.
Only Windows 7 64-bit and Windows Server 2008 R2 64-bit with Meltdown patches from January or February are vulnerable to this newly discovered Total Meltdown vulnerability. But that’s still a hell of a lot of computers worldwide, and you’ve likely at least interacted with one recently.
How Does it Work?
This particular Meltdown patch changed a key permission bit to “User.” Page tables, which should only be accessible to the kernel itself, became accessible to all user mode code in any and all processes.
So, if a cyber attacker wanted to develop malware to exploit a Windows CPU vulnerability, doing so would be a lot easier after the Meltdown patch than before the patch. It’s very difficult for attackers to acquire kernel-level access. It’s much easier for attackers to acquire user-level access.
Once read/write access has been acquired to the CPU through the erroneous new User permission, all hell breaks loose. Though that sort of page table access, an attacker can acquire access to the full physical memory. This is really scary stuff.
Microsoft’s New Fix
If you run a Windows 7 or Windows Server 2008 R2 machine, you should know that Microsoft released a new patch on March 29th. Here’s Microsoft’s description of the newly patched “Total Meltdown” vulnerability:
“An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.”
I recommend that you update all of your Windows 7 or Windows Server 2008 R2 systems as soon as possible in order to install the new patch. Now I’m going to cross my fingers and hope that this brand-new patch doesn’t introduce even more vulnerabilities.
Microsoft’s security patching team really has a difficult job. Kudos to them!
