Microsoft may have patched Windows 10 for Meltdown, but a security researcher claims that the patch had a "fatal flaw" that undermines the purported protection. The only way to get a true fix is to update to the Windows 10 April 2018 Update, which was released earlier this week. Bleeping Computer first reported the news.
Welp, it turns out the #Meltdown patches for Windows 10 had a fatal flaw: calling NtCallEnclave returned back to user space with the full kernel page table directory, completely undermining the mitigation. This is now patched on RS4 but not earlier builds -- no backport?? pic.twitter.com/VIit6hmYK0 — Alex Ionescu (@aionescu) May 2, 2018
Alex Ionescu of Crowdstrike wrote on wrote on Twitter that "#Meltdown patches for Windows 10 had a fatal flaw: calling NtCallEnclave returned back to user space with the full kernel page table directory, completely undermining the mitigation."
The layman's explanation there is that the patch still allowed access to the kernel, therefore undermining the use of having a patch at all. In other words, you're still vulnerable to Meltdown. This requires local code execution privileges and occurs only on Windows 10 Build 1709, the Fall Creators Update. If you've been updating your computer over Windows Update, that's very likely the version you have right now.
"We are aware and are working to provide customers with an update," a Microsoft spokesperson told Laptop Mag.
According to Bleeping Computer, the issue was fixed in the April 2018 major Windows 10 update that was released on Monday. This puts users in a bit of a predicament, as many like to wait until the kinks are worked out in new releases.
Additionally, you still have to manually download the new update, as it is not rolling out automatically just yet. Even then, it could take a long time for the April 2018 update to finally reach your PC.
Ionescu's point that there is "no backport" suggests that Microsoft has yet to bring the fix to older versions of Windows 10. Hopefully, we'll see a new fix on May 8, this month's Patch Tuesday.
Meltdown and another vulnerability, Spectre, were disclosed by Google's Project Zero and other researchers back in January. Meltdown affects almost every Intel processor going back to the mid-1990s, and Spectre affects many ARM and AMD processors as well. You can't currently buy a laptop or desktop without at least one of these vulnerabilities, though mitigations have come through via both operating-system and chip-firmware patches.
Image credit: Natascha Eidl/Public domain
Windows 10 Security and Networking
- Use the Windows 10 Parental Controls
- Find Your MAC Address
- Turn Your Windows PC into a Wi-Fi Hotspot
- Password Protect a Folder
- Create a Guest Account in Windows 10
- Enable Windows Hello Fingerprint Login
- Set Up Windows Hello Facial Recognition
- How to Restrict Cortana's Ever-Present Listening in Windows 10
- Automatically Lock Your PC with Dynamic Lock
- Blacklist Non-Windows Store Apps
- Find Saved Wi-Fi Passwords
- Set Up a Metered Internet Connection
- Use Find My Device
- Stream XBox One Games
- All Windows 10 Tips
- Map a Network Drive
- Create Limited User Accounts
- Set Time Limits for Kids
- Pin People to Your Taskbar
