Heads up: Total Meltdown exploit code now available on GitHub

The massive security hole introduced by Microsoft for 64-bit Win7 and Server 2008 R2 now has working proof-of-concept code — and it’s freely available on GitHub. While we haven’t seen exploits in the wild, it’s only a matter of days.

open insecure padlock with circuitry and windows logo

Remember the Total Meltdown security hole? Microsoft spread the vulnerability in every 64-bit Win7 and Server 2008 R2 patch released this year, prior to March 29. Specifically, if you installed any of these patches:

  • KB 4056894 Win7/Server 2008 R2 January Monthly Rollup
  • KB 4056897 Win7/Server 2008 R2 January Security-only patch
  • KB 4073578 Hotfix for “Unbootable state for AMD devices in Windows 7 SP1 and Windows Server 2008 R2 SP1” bug installed in the January Monthly Rollup and Security-only patches
  • KB 4057400 Win7/Server 2008 R2 Preview of the February Monthly Rollup
  • KB 4074598 Win7/Server 2008 R2 February Monthly Rollup
  • KB 4074587 Win7/Server 2008 R2 February Security-only patch
  • KB 4075211 Win7/Server 2008 R2 Preview of the March Monthly Rollup
  • KB 4091290 Hotfix for “smart card based operations fail with error with SCARD_E_NO_SERVICE” bug installed in the February Monthly Rollup
  • KB 4088875 Win7/Server 2008 R2 March Monthly Rollup
  • KB 4088878 Win7/Server 2008 R2 March Security-only patch
  • KB 4088881 Win7/Server 2008 R2 Preview of April Monthly Rollup

... your machine was left in an exposed state. Microsoft made changes to your PC that makes it easy for a running to program to look at, or modify, any data on your computer.

Security researcher Ulf Frisk posted details on March 27, giving the security hole the “Total Meltdown” moniker. That’s in reference to the well-publicized Meltdown and Spectre security holes, which initially started this year’s patching frenzy. All of these patches and repatches existed primarily to circumvent Meltdown and Spectre — two security vulnerabilities that, to this day, have never been spotted in the wild.

Keep in mind that Total Meltdown only applies to 64-bit versions of Win7 and Server 2008 R2 — and that it doesn’t allow malicious programs to run on your machine, it “only” allows them to read or write data anywhere.

Microsoft responded on March 29 with a patch, KB 4100480, which plugs the Total Meltdown security hole but introduces all sorts of additional problems. See threads started by MrBrian and Susan Bradley on AskWoody. According to the KB article, that patch has been superceded by the two April Win7 security patches, released on April 10:

  • KB 4093118 Win7/Server 2008 R2 April Monthly Rollup
  • KB 4093108 Win7/Server 2008 R2 April Security-only patch

Both of those, in turn, were riddled with bugs. The Monthly Rollup, in particular, was so bad that Microsoft re-released it on April 12. But the new version kept installing and re-installing itself, even though Windows flagged it as already installed. If you get hit with that bug, the only solution at this point is to hide the update.

In the past couple of days, self-described “Hacker and Infosec Researcher” XPN has posted details of a working exploit that takes advantage of Microsoft’s Total Meltdown security hole. The exploit code, updated yesterday, is available on GitHub. XPN also has a YouTube video showing how quickly it all goes by. Remember: This is code that can retrieve or change any data in memory from a running program. Before it kicks in, a would-be attacker has to get the program running on your machine. But once it's running, any program can get to any data on your machine.

On AskWoody, GoneToPlaid lays it out:

I looked at the proof of concept code posted on GitHub by XPN. No malware techniques whatsoever were required, except simply replacing tokens for EPROCESS with SYSTEM. Yet this is done after the code has already located all computer memory to read in less than a second. The code doesn’t go through the process of actually reading the memory since XPN was merely showing everyone how quickly the code was able to gain access to all computer memory, and then to change the access rights to all computer memory.

As of this moment, I haven’t heard of any active exploits that take advantage of the Total Meltdown security hole, but with working code so easily available, it’s only a matter of time. A short amount of time, at that.

How to tell if you’re exposed?

Step 1. Look at your Update History and see if you have any patches installed this year. (See the list at the beginning of this article.) No patches from 2018? You’re off the hook for Total Meltdown, although you’re exposed for the (few) other real security holes plugged this year.

Step 2. If you have any of the Windows patches listed above, look to see if you have KB 4100480, 4093108 or 4093118 installed. If any of those three are installed, you’re fine.

Step 3. If you have one of the Total Meltdown-infected patches installed, and you haven’t yet installed KB 4100480, 4093108 or 4093118, you’re in for some interesting times. As best I can tell, you have three options:

  • Take Susan Bradley’s advice and roll back your machine to its state before the patching insanity started in January. That’s a massive, thankless task, and it leaves you exposed to the (few) real security holes plugged this year.
  • Download and manually install the KB 4093108 Security-only patch.
  • Use Windows Update to install all of the checked April Windows patches, including the KB 4093118 Monthly Rollup.

Be aware of the bugs in KB 4093108 and 4093118 (possible blue screen Session_has_valid_pool_on_Exit). In particular, note that Microsoft has removed the old requirement that your antivirus software give the go-ahead by modifying the QualityCompat registry key. It isn’t clear if that’s a move of desperation — designed to get this month’s security patches pushed onto every machine — or if antivirus manufacturers have cleaned up their products so the old restriction no longer applies (as is the case with Windows 10).

By the way, there’s a silver lining to this dreck-drenched cloud. You Win7 folks won’t have any patches at all after Jan. 14, 2020 — a scant 21 months from now. Something to look forward to, amirite?

Questions? Hit us on AskWoody.

Copyright © 2018 IDG Communications, Inc.

Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon