Microsoft has released an emergency Windows update for Windows 7 and Windows Server 2008 R2 systems to fix a serious memory bug that was introduced after a bungled Meltdown patch in January.
Meltdown and Spectre have caused headaches for device manufacturers as well as companies which develop software. While numerous firms have rolled out patches to mitigate the effects of the vulnerabilities, things haven’t gone too smoothly.
One such example is Microsoft’s Meltdown patch for Windows 7 and Windows Server 2008 R2, which inadvertently paved the way to further exploits.
Security researcher Ulf Frisk noticed that Microsoft’s January patches for Meltdown allowed infected processes to read and write into the physical memory, which could also lead to elevation of privileges. Importantly, this bug was extremely easy to exploit and didn’t require any “fancy API or syscalls”.
While Microsoft fixed this issue in March’s Patch Tuesday, systems running January and February patches have been vulnerable to it, until now. The company has released the KB4100480 update for the following products:
Microsoft has explained the vulnerability as follows:
Microsoft has advised affected users to install the update immediately and has classified the severity of the issue as “Important”. Systems other than those mentioned above are safe from this exploit, and only Windows 7 and Windows Server 2008 R2 computers running January or February patches are affected. Machines running older patches are unaffected from this particular vulnerability too, since it was the January patch that introduced the memory bug in the first place.
Source: Microsoft via Softpedia
