A “Patch for the Meltdown Patch” released out of band Thursday night

The Meltdown/Spectre saga continues…  

Late Thursday, Microsoft released a patch for Windows 7 and Server 2008 R2 operating systems to resolve CVE-2018-1038. Apparently, this vulnerability was actually introduced by the patches released in January to mitigate the effects of Meltdown. Microsoft did include a partial fix in the March updates on Patch Tuesday, but did not completely resolve the issue.

According to a blog post by Ulf Frisk, some of the modifications to memory handling opened up read/write access to User mode code, essentially allowing any application on the machine to read and write from memory.

Qualys has created QID 91440 in Vulnerability Management. This detection requires authenticated scanning or a Qualys Cloud Agent installed on the asset, and looks for the presence of the vulnerable version of ntoskrnl.exe.

It should be noted that while there are no current active attacks against this vulnerability, there is PoC code, and opportunistic actors could weaponize this exploit by using a multi-stage attack to gain access to an affected asset.

The bottom line: If you did install any of the security updates in January of this year or later, it is critical that you install this out-of-band patch to ensure your systems are protected from malicious actors. Also ensure that other layers of protection (anti-malware, email security, web filtering) are up to date to minimize your risk profile.