Microsoft releases emergency patch for Windows 7

by Hilbert Hagedoorn on: 04/02/2018 08:52 AM | source: | 15 comment(s)

Microsoft released an out of band emergency patch for a vulnerability in Windows 7 and Windows Server 2008. This was necessary after a security researcher discovered that a Meltdown-patch released in January this year, introduced a new and even bigger vulnerability.

The patch released in January should have protected Windows 7 and Windows Server 2008 systems against the Meltdown attack writes myce. Unfortunately the update introduced a new vulnerability that allowed any random process to read the entire system’s memory and to write data to it. Security researchers Ulf Frisk discovered the new issue and according to him the vulnerability is fairly easy to exploit.

Microsoft reports the vulnerability allowed a logged in attacker to use a specially crafted application to take control of an affected system. “An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft further explains.

Therefore, Microsoft decided to release an emergency patch outside its regular Patch Tuesday release-cycle. The software giant strongly advises users to install the update as soon as possible. Microsoft hasn’t discovered any attacks exploiting the vulnerability in the wild yet, but the company expects that’s only a matter of time.

Related Stories

Microsoft will Increase Windows license fees for high-end hardware - 03/30/2018 08:12 AM
It has been mentioned before, different Windows 10 licensing models based on the hardware you use. Currently, there is wordout on the street that Microsoft plans to raise license fees for computers wi...

Microsoft DirectX Raytracing - EA Real-time Raytracing Experiment - 03/20/2018 09:12 AM
EA also shared a video demoing Real-time Raytracing. PICA PICA' is a demo and experiment using SEED's 'Halcyon' research engine and Microsoft's new DirectX Raytracing API to do real-time GPU ray...

Microsoft announces DirectX Raytracing for real-time raytracing - 03/20/2018 08:46 AM
Shortly after the Nvidia announcement, Microsoft follows by adding DirectX Raytracing to the DirectX 12 api. According to the manufacturer, the technology clears the way for games that are partly buil...

Microsoft DirectX Raytracing - Remedy Example Video - 03/20/2018 08:46 AM
Remedy Entertainment discussed the experiments and research we have done in collaboration with Nvidia on the Microsoft DirectX Raytracing (DXR) API that enables straightforward access to real-time ray...

Intel and Microsoft release final Spectre Patches up to and including Sandy Bridge - 03/15/2018 04:24 PM
As Intel finalizes them, Microsoft started distributing Microcode updates for the Spectre variant 2, the updates now have a reach from the latest Coffee Lake processors, Kaby Lake (Core iX-7xxx and iX...

Fox2232
Senior Member

Posts: 9738
Joined: 2012-07-20

#5534115 Posted on: 04/02/2018 09:08 AM

And they forgot to mention that attacker may as well flash BIOS (unless flash protected form OS), to have full list of "popular" exploits these days...
...as it seems that flashing BIOS is most important thing attacker wants to do once he has control over system.

Picolete
Senior Member

Posts: 270
Joined: 2014-12-09

#5534132 Posted on: 04/02/2018 11:38 AM

If I secure my BIOS with a password, shouldn't i be secure from some of this exploits?

Fox2232
Senior Member

Posts: 9738
Joined: 2012-07-20

#5534136 Posted on: 04/02/2018 12:11 PM

If I secure my BIOS with a password, shouldn't i be secure from some of this exploits?

It was a joke from my side. Writing code which works at boot time and still allows normal system operation is not that easy in limited space of BIOS flash. So it is one of last targets attacker has on list. (If it even gets to list as each MB requires different BIOS and has different kinks which may prevent system from being operational and therefore lost even to attacker himself.)

Meltdown/spectre and similar are not spawning from BIOS therefore password on BIOS does not protect against them. (OS level attacks.)
But in case they allow attacker to gain control over your system, you do not need BIOS-Admin-Password. You need settings preventing BIOS flashing from OS.

Rich_Guy
Senior Member

Posts: 12264
Joined: 2003-05-11

#5534159 Posted on: 04/02/2018 02:00 PM

Link to the patch in the catalog ?

vonSternberg
Senior Member

Posts: 151
Joined: 2017-09-12

#5534160 Posted on: 04/02/2018 02:03 PM

Has anyone even been affected by it? I haven't updated my Windows 7 since 2012 and have never had any issues.

Rich_Guy
Senior Member

Posts: 12264
Joined: 2003-05-11

#5534162 Posted on: 04/02/2018 02:06 PM

Think ive found it, is this it ?

EDIT: (Yep this is it).

http://www.catalog.update.microsoft.com/Search.aspx?q=KB4100480

Applies if you have any of these ones installed.

https://support.microsoft.com/en-gb/help/4100480/windows-kernel-update-for-cve-2018-1038

Info :-

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1038

glutto
Senior Member

Posts: 579
Joined: 2002-12-05

#5534172 Posted on: 04/02/2018 02:34 PM

Such a tiny little patch.

Rich_Guy
Senior Member

Posts: 12264
Joined: 2003-05-11

#5534173 Posted on: 04/02/2018 02:36 PM

Such a tiny little patch.

Yep, all 22mb of it!

TheDeeGee
Senior Member

Posts: 6137
Joined: 2010-08-28

#5534194 Posted on: 04/02/2018 03:43 PM

Has anyone even been affected by it? I haven't updated my Windows 7 since 2012 and have never had any issues.

No updates since 2012 means you're perfectly safe.

chronek
Senior Member

Posts: 185
Joined: 2016-09-19

#5534200 Posted on: 04/02/2018 03:58 PM

It was not a bug, it was a feature.. They released backdoor update

warlord
Senior Member

Posts: 2369
Joined: 2012-10-22

#5534201 Posted on: 04/02/2018 04:05 PM

No updates since 2012 means you're perfectly safe.

Like Windows 7 era. Windows 7 are not safe and sound yet, back to XP with no updates no internet stuff. Windows 10 era. Windows 10 are spying, back to Windows 7 with some patches only not a lot of internet activity to keep it under control.

RealNC
Senior Member

Posts: 3082
Joined: 2011-11-24

#5534224 Posted on: 04/02/2018 06:39 PM

If I secure my BIOS with a password, shouldn't i be secure from some of this exploits?

Eh, no.

This reminds of old-school mainboards having jumpers to physically shut off write access to the BIOS. What happened to that? It was a good solution.

Turanis
Senior Member

Posts: 1422
Joined: 2014-08-15

#5534253 Posted on: 04/02/2018 08:33 PM

Tim Sneath,ex-Microsoft:
https://medium.com/@timsneath/from-windows-to-the-cloud-89d5ae28a95f

"The recent shift to the cloud has proven immensely profitable, with Microsoft stock growing to levels that seemed unfathomable just a few years ago.
The shift away from the client and Windows is clearly working as a business strategy — but it’s a seismic shift for the company and its culture.

If you’re an ecosystem partner of Microsoft, the lesson is clear — in the same way as Windows is no longer a core business, unless you’re focused on the cloud, you’re not a strategic partner."

jaggerwild
Senior Member

Posts: 687
Joined: 2005-11-18

#5534264 Posted on: 04/02/2018 09:38 PM

So Windows 7 is still supported?

Lebon30
Member

Posts: 36
Joined: 2018-04-02

#5534311 Posted on: 04/03/2018 12:05 AM

Huh. I'll wait a bit to patch for this because I wanna be sure there's no issues in patching.

So Windows 7 is still supported?

Until April 2020.

Post New Comment

Click here to post a comment for this news story on the message forum.