Back to qualys.com
Gill Langston

A “Patch for the Meltdown Patch” released out of band Thursday night

Meltdown and Spectre Aren’t Business as UsualThe Meltdown/Spectre saga continues…  

Late Thursday, Microsoft released a patch for Windows 7 and Server 2008 R2 operating systems to resolve CVE-2018-1038Apparently, this vulnerability was actually introduced by the patches released in January to mitigate the effects of Meltdown. Microsoft did include a partial fix in the March updates on Patch Tuesday, but did not completely resolve the issue.

According to a blog post by Ulf Frisk, some of the modifications to memory handling opened up read/write access to User mode code, essentially allowing any application on the machine to read and write from memory.

Qualys has created QID 91440 in Vulnerability Management. This detection requires authenticated scanning or a Qualys Cloud Agent installed on the asset, and looks for the presence of the vulnerable version of ntoskrnl.exe.

It should be noted that while there are no current active attacks against this vulnerability, there is PoC code, and opportunistic actors could weaponize this exploit by using a multi-stage attack to gain access to an affected asset.

The bottom line: If you did install any of the security updates in January of this year or later, it is critical that you install this out-of-band patch to ensure your systems are protected from malicious actors. Also ensure that other layers of protection (anti-malware, email security, web filtering) are up to date to minimize your risk profile.

One response to “A “Patch for the Meltdown Patch” released out of band Thursday night”

  1. I installed KB4100480 Windows kernel update for CVE-2018-1038 for Windows 7 (64bit) on a system with an AMD Sempron 3000+ 64bit processor. The system was very slow afterwards. I removed the update by doing a system restore and performance reverted to the previous acceptable level. The AMD Sempron 3000+ processor is apparently not susceptible to Meltdown and Steve Gibson’s Inspectre tool confirms this.

    I also installed KB4100480 on an Intel Pentium 4 Prescott 3.2GHz twin core 64bit processor powered Windows 7 system. No change in performance has been observed and it runs fine. This suggests to me that previous MS updates since Jan 2018 might have behaved differently with old AMD processors than with Intel processors. After my AMD Sempron 3000+ powered Windows 7 system was bricked in January, I noticed that the January rollup had become unavailable for it after I had recovered it from a backup taken in November 2017.

    KB4100480 was not presented to me by Windows Update. I had to download and install it manually.

    Is there a simple-to-use tool to test a system for the Microsoft contrived vulnerability? What a mess. Windows 7 is a consumer product and customers rightly expect Windows updates not to require expert management.

    I have seen that this privilege escalation issue is mentioned in connection with PCs used in business environments. Also, to be an exploitable vulnerability the system must be accessible to be logged onto. Since inexpertly managed Windows 7 systems are more likely to be home used systems, physical access by an exploiter will be much less likely. I am not sure if remote logons represent a hazard in this context.

    The whole issue seems chaotic and this is not helped by a lack of clarity in the various ‘expert’ comments I have read. My experience with my old 64bit AMD Sempron powered Windows 7 64bit system suggests that there are exceptions to the CVE-2018-1038 rules and yet no guidance from Microsoft is apparent. I have struggled to acquire my present limited understanding of the situation and doubtless I still l have some way to go before I achieve a decent if still tenuous understanding.

Leave a Reply