Microsoft Issues Out-Of-Band Security Update for Windows 7 & Windows Server 2008

Microsoft issued today an out-of-band security update for 64-bit versions of Windows 7 and Windows Server 2008 R2.

The security update —KB4100480— addresses a security bug discovered by a Swedish security expert earlier this week.

The bug was caused by a patch meant to fix the Meltdown vulnerability but accidentally opened the kernel memory wide open.

According to Ulf Frisk, Microsoft’s January 2018 Meltdown patch (for CVE-2017-5754) allowed any app to extract or write content from/to the kernel memory. This all happened because the Meltdown patch accidentally flipped a bit that controlled access permissions to kernel memory.

Frisk said that the March Patch Tuesday appears to have “fixed” the issue, as he was not able to interact with kernel memory.

But today, Microsoft released KB4100480 to make sure the vulnerability was closed for good. The accidental bit flip bug now has its own CVE identifier of CVE-2018-1038.

The flaw is not remotely exploitable, and attackers need either physical access to a PC, or they need to infect the PC with malware beforehand.

Besides KB4100480, Microsoft released another out-of-band security update last Friday, March 23. KB3203399 resolved a vulnerability (CVE-2017-8551) in Microsoft Office that could lead to remote code execution and was meant for Microsoft Project Server 2013 Service Pack 1 users only.

March 29, 2018