Microsoft has today released an emergency update for Windows 7 and Windows Server 2008 R2 operating systems. Direct download links for Windows 7 KB4100480 is available from Microsoft’s official website and this update finally addresses a vulnerability introduced by Meltdown patch released earlier this year.
Microsoft in January released the important updates for Windows operating system with Meltdown and Spectre fixes. While the updates were supposed to fix the reported vulnerabilities, it looks like Microsoft has mistakenly opened the door for a different kind of exploits. A security searcher Ulf Frisk has discovered that the patch for Windows 7 allows the normal processes to grant read and write access to the physical memory.
Frisk was also able to confirm his claims in a blog post. The researcher says that this flaw could be misused to obtain administrator privileges on vulnerable machines. “No fancy exploits were needed. Windows 7 already did the hard work of mapping in the required memory into every running process. Exploitation was just a matter of read and write to already mapped in-process virtual memory. No fancy APIs or syscalls required – just standard read and write.” he explained.
The good news is that Microsoft has finally addressed this vulnerability in KB4100480. Microsoft has detailed the important vulnerability ‘CVE-2018-1038’ in a security page, and the company recommends users to patch their systems as soon as possible, although no attacks have been spotted yet.
“An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system,” Microsoft writes.
KB4100480 Download Links for Windows 7
Windows 7 KB4100480 Direct Download Links: 32-bit (x86) and 64-bit.
Microsoft says that update is available for all Windows 7 users via Windows Update, and it can be also installed from the Microsoft’s official website linked above.
Microsoft has however confirmed that the Windows 10 operating system is not vulnerable to any such security flaws. It is worth noting that all other supported versions of the operating system including Windows 8 are fully protected, and the computers that are running on the December 2017 update aren’t affected as the bug only affects the Windows 7 devices with Meltdown patch.
In other words, all versions of Windows except Windows 10 are fully protected. The Windows 7 computers running the January and the February 2018 patches are vulnerable, while the Windows 7 computers with December 2017 update or later aren’t affected.