![](\"https:\/\/images.idgesg.net\/images\/article\/2017\/09\/windows_patch_security8-100734737-large.3x2.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Woody Leonhard| Date: Tue, 24 Apr 2018 13:33:00 -0700<\/strong><\/p>\n Remember the <\/span>Total Meltdown <\/span><\/a>security hole? Microsoft spread the vulnerability in every 64-bit Win7 and Server 2008 R2 patch released this year, prior to March 29. Specifically, if you installed <\/span>any <\/i><\/strong>of these patches:<\/span><\/p>\n … your machine was left in an exposed state. Microsoft made changes to your PC that makes it easy for a running to program to look at, or modify, any data on your computer. <\/span><\/p>\n Security researcher Ulf Frisk <\/span>posted details<\/span><\/a> on March 27, giving the security hole the \u201cTotal Meltdown\u201d moniker. That\u2019s in reference to the well-publicized Meltdown and Spectre security holes, which initially started this year\u2019s patching frenzy. All of these patches and repatches existed primarily to circumvent Meltdown and Spectre \u2014 two security vulnerabilities that, to this day, have never been spotted in the wild.<\/span><\/p>\n Keep in mind that Total Meltdown only applies to 64-bit versions of Win7 and Server 2008 R2 \u2014 and that it doesn\u2019t allow malicious programs to run on your machine, it \u201conly\u201d allows them to read or write data anywhere.<\/span><\/p>\n Microsoft responded on March 29 with a patch, <\/span>KB 4100480<\/span><\/a>, which plugs the Total Meltdown security hole but introduces all sorts of additional problems. See threads started by <\/span>MrBrian <\/span><\/a>and <\/span>Susan Bradley <\/span><\/a>on AskWoody. According to <\/span>the KB article<\/span><\/a>, that patch has been superceded by the two April Win7 security patches, released on April 10:<\/span><\/p>\n Both of those, in turn, were riddled with bugs. The Monthly Rollup, in particular, was so bad that Microsoft <\/span>re-released it on April 12<\/span><\/a>. But the new version kept <\/span>installing and re-installing itself<\/span><\/a>, even though Windows flagged it as already installed. If you get hit with that bug, the only solution at this point is to <\/span>hide the update<\/span><\/a>.<\/span><\/p>\n In the past couple of days, self-described \u201cHacker and Infosec Researcher\u201d XPN<\/span> has posted details<\/span><\/a> of a working exploit that takes advantage of Microsoft\u2019s Total Meltdown security hole. The exploit code, updated yesterday, is <\/span>available on GitHub<\/span><\/a>. XPN also has a <\/span>YouTube video<\/span><\/a> showing how quickly it all goes by. Remember: This is code that can retrieve or change any data in memory from a running program. Before it kicks in, a would-be attacker has to get the program running on your machine. But once it’s running, any program can get to any data on your machine.<\/span><\/p>\n On AskWoody, GoneToPlaid <\/span>lays it out<\/span><\/a>:<\/span><\/p>\n I looked at the proof of concept code posted on GitHub by XPN. No malware techniques whatsoever were required, except simply replacing tokens for EPROCESS with SYSTEM. Yet this is done <\/span>after<\/span><\/i> the code has already <\/span>located<\/span><\/i> all computer memory to read in less than a second. The code doesn\u2019t go through the process of actually reading the memory since XPN was merely showing everyone how quickly the code was able to gain access to all computer memory, and then to change the access rights to all computer memory.<\/span><\/p>\n As of this moment, I haven\u2019t heard of any active exploits that take advantage of the Total Meltdown security hole, but with working code so easily available, it\u2019s only a matter of time. A short amount of time, at that.<\/span><\/p>\n How to tell if you\u2019re exposed? <\/span><\/p>\n Step 1. <\/strong>Look at your Update History and see if you have any patches installed this year. (See the list at the beginning of this article.) No patches from 2018? You\u2019re off the hook for Total Meltdown, although you\u2019re exposed for the (few) other real security holes plugged this year.<\/span><\/p>\n Step 2. <\/strong>If you have any of the Windows patches listed above, look to see if you have KB 4100480, 4093108 or 4093118 installed. If any of those three are installed, you\u2019re fine.<\/span><\/p>\n Step 3. <\/strong>If you have one of the Total Meltdown-infected patches installed, and you haven\u2019t yet installed KB 4100480, 4093108 or 4093118, you\u2019re in for some interesting times. As best I can tell, you have three options:<\/span><\/p>\n Be aware of the bugs in KB 4093108 and 4093118 (<\/span>possible blue screen<\/span><\/a> Session_has_valid_pool_on_Exit). In particular, note that Microsoft has removed the old requirement that your antivirus software give the go-ahead by modifying the QualityCompat registry key. It isn\u2019t clear if that\u2019s a move of desperation \u2014 designed to get this month\u2019s security patches pushed onto every machine \u2014 or if antivirus manufacturers have cleaned up their products so the old restriction no longer applies (as is the case with Windows 10).<\/span><\/p>\n By the way, there\u2019s a silver lining to this dreck-drenched cloud. You Win7 folks won\u2019t have any patches at all after Jan. 14, 2020 \u2014 a scant 21 months from now. Something to look forward to, amirite?<\/span><\/p>\n Questions? Hit us <\/span><\/i>on AskWoody<\/span><\/i><\/a>.<\/span><\/i><\/p>\n http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<\/p>\n