Skip to content

Security News

Chinese Super Micro ‘spy chip’ story …

QUOTE

Chinese Super Micro ‘spy chip’ story gets even more strange as everyone doubles down
Bloomberg puts out related story while security experts cast doubt on research and quotes

The veracity of a bombshell yarn claiming Chinese agents managed to sneak spy chips into Super Micro servers used by Amazon, Apple and the US government is still being fiercely argued over five days after publication.

On Tuesday, the media outlet behind the claims, Bloomberg, responded to growing criticism of its report by publishing a new, related story about how a “major US telecommunications company” discovered a similar hardware hack in components from the computer manufacturer at the center of the story, Super Micro.

That latest piece comes after one of the experts in the original story gave an interview in which he expressed his concern about the finished piece and questioned whether Bloomberg had done sufficient fact checking before publishing.

The new article also comes in the wake of a second, even stronger denial of the key elements of the story by Apple – sent to US Congress committees – as well as statements from the intelligence wings of both the UK and US governments that push the idea that Bloomberg may have made a serious reporting mistake.

With clear and increasingly firm stances that stand in complete opposition to one another, security experts remain undecided as to whether the story is largely correct and China did insert spy chips into Super Micro motherboards; or whether the journalists behind the story wrongly extrapolated information and ended up publishing something incorrect.

Faced with such uncertainty, some are reaching for a unifying explanation: that Bloomberg was misled by some in the intelligence community that wish, for their own reasons, to raise the specter of Chinese interference in the global electronics supply chain. Bloomberg could be accurately reporting an intelligence misinformation campaign.

Another expert, another report

In its most recent story, Bloomberg claims to have seen “documents, analysis and other evidence” of Chinese interference: in this case “manipulated hardware” stemming from Super Micro that was discovered in the network of a large US telecoms company and pulled out in August.

The source of that report is named: Yossi Appleboum, CEO of security specialists Sepio Systems. Appleboum claims to have discovered “unusual communications” coming from a Super Micro server that was part of a data center audit ordered by the unnamed company.

Physical inspection of that board revealed “an implant built into the server’s Ethernet connector,” Appleboum says. Bloomberg knows the company affected but has chosen not to name it because of a non-disclosure agreement signed between Sepio Systems and the company in question.

While Bloomberg notes that the Ethernet implant “is different from the one described in the Bloomberg Businessweek report last week,” it argues that it shares “key characteristics” including the fact that the alteration was made at a Super Micro factory and it was designed to be invisible while extracting data.

The conclusion that the impact was introduced at the factory in China was reached by Appleboum, he claims. But notably he goes on to state that “he was told by Western intelligence contacts that the device was made at a Super Micro subcontractor factory in Guangzhou, a port city in southeastern China.”

Appleboum make a series of other interesting statements, including that the Sepio team had seen similar variations of the implant in other motherboards made in China, and that he had been informed by intelligence agents from other countries that they had been tracking the manipulation of Super Micro hardware for some time.
You know nothing, DHS

Bloomberg used the report to push back against a statement from the US Department of Homeland Security (DHS) in which it said it had “no reason to doubt” denials of its spy-chip original story. Bloomberg insists that there was an FBI investigation of the issue, but that it was run by the organization’s “cyber and counterintelligence teams, and that DHS may not have been involved.”

In other words, Bloomberg – seemingly surprised by the forceful denials of its story – is arguing that only a small group of people were aware of the investigations it wrote about and so claims of inaccuracy may come from people who simply do not know about them.

….

All of which is to say: after five days of fierce scrutiny, no one is any the wiser as to whether the story is true or not. We will have to see what this week brings.

World’s largest CCTV maker leaves at least 9 million cameras open to public viewing

Made in China. Maybe it also has an ethernet hardware implant chip if all else fails. HHmmm I see a trend here.

QUOTE

Xiongmai’s cloud portal opens sneaky backdoor into servers

Yet another IoT device vendor has been found to be exposing their products to attackers with basic security lapses.

This time, it’s Chinese surveillance camera maker Xiongmai named and shamed this week by researchers with SEC Consult for the poor security in the XMEye P2P Cloud service. Among the problems researchers pointed to were exposed default credentials and unsigned firmware updates that could be delivered via the service.

As a result, SEC Consult warns, the cameras could be compromised to do everything from spy on their owners, to carry out botnet instructions and even to serve as an entry point for larger network intrusions.

“Our recommendation is to stop using Xiongmai and Xiongmai OEM devices altogether,” SEC Consult recommended.

“The company has a bad security track record including its role in Mirai and various other IoT botnets. There are vulnerabilities that have been published in 2017, which are still not fixed in the most recent firmware version.”

Enabled by default, the P2P Cloud service allows users to remotely connect to devices via either a web browser or an iOS/Android app and control the hardware without needing a local network connection.

Unfortunately, SEC Consult explained, shortcomings in both the devices themselves and the service, such as unencrypted connections and default passwords (owners are not required to change the defaults when setting up the device) mean that in many cases, accessing and compromising camera could be a cinch.

Additionally, SEC Consult notes, the Xiongmai devices do not require that firmware updates be signed, meaning it would be possible for an attacker to install malware-laden firmware updates to build a botnet or stage further attacks on the local network.

“This is either possible by modifying the filesystems, contained in a firmware update, or modifying the ‘InstallDesc’ file in a firmware update file,” researchers explain.

“The ‘InstallDesc’ is a text file that contains commands that are executed during the update.”

On top of it all, SEC Consult accuses Xiongmai of a pattern of ignoring security warnings and failing to take basic precautions.

The research house claims that not only were its latest warnings to the company ignored, but Xiongmai has a history of bad security going all the way back to its days as fodder for the notorious Mirai botnet. As such, the researchers advise companies stop using any OEM hardware that is based on the Xiongmai hardware. The devices can be identified by their web interface, error page, or product pages advertising the EMEye service.

China back at hacking

Note to Trump – sometimes diplomacy is better than chest thumping.

QUOTE

The Obama-era cyber détente with China was nice, wasn’t it? Yeah well it’s obviously over now
Middle Kingdom is a rising threat once again – research

Infosec pros might have already noticed some familiar IP address ranges in their system logs – China has returned to the cyber-attack arena.

That’s the conclusion of threat intel outfit CrowdStrike, which released its midyear threat report this week (downloadable here with free registration). The firm’s Falcon OverWatch team said that from January to June, state actors were responsible for 48 per cent of intrusion cases, and China is climbing back up the charts.

CTO and co-founder Dmitri Alperovitch tweeted: “CrowdStrike can now confirm that China is back (after a big drop-off in activity in 2016) to being the predominant nation-state intrusion threat in terms of volume of activity against Western industry. MSS is now their #1 cyber actor.”

MSS refers to the Ministry of State Security, which will likely be even more motivated to digitally disrupt the US since a deputy division director was arrested in Belgium in April and extradited to face charges in America.

Alperovitch said that the 2015 Obama-era non-hacking pact had led to a decline in hostile activity, at least at the state level.

Alex Stamos, formerly CSO at Facebook, concurred with Alperovitch: “Most IR professionals I have spoken to believed that there was a real drop in commercially-motivated hacking from the Chinese after the deal.”

That was then. The increasing political hostility between China and the US (and countries like Australia which have followed the US’s lead) is reflected in the online world, CrowdStrike reckoned. “OverWatch data identifies China as the most prolific nation-state threat actor during the first half of 2018.”

Intrusions were attempted against “biotech, defence, mining, pharmaceutical, professional services, transportation, and more”, the report claimed.

The “Chinese threat” has been a CrowdStrike theme for some time: in September, Alperovitch made the same point to Fox Business in a TV interview. He said “every major sector of the economy is being targeted” by the Middle Kingdom.

“Primarily they’re focused on stealing intellectual property… in order to counteract in part the trade tariffs we’re putting into place on them.”

By comparison to the rising Chinese attack traffic, the report’s other key findings were relatively unremarkable: online crims are turning to crack networks to install cryptocurrency miners, with legal and insurance industries a favourite target; the biotech sector is a favoured target for industrial espionage; and criminal actors who once may have used less sophisticated tools are now adopting “tactics, techniques and procedures” learned from nation-state actors.

New Evidence of Hacked Supermicro Hardware Found in U.S. Telecom

One needs to wonder about all those routers and firewalls from the majors that are produced in China.
Also, I think this will do more damage to “Brand China” than dubious tariffs.
And in case you missed it, Bloomberg’s original story “The Big Hack” (excellent read), can he had here

The discovery shows that China continues to sabotage critical technology components bound for America.

A major U.S. telecommunications company discovered manipulated hardware from Super Micro Computer Inc. in its network and removed it in August, fresh evidence of tampering in China of critical technology components bound for the U.S., according to a security expert working for the telecom company.

The security expert, Yossi Appleboum, provided documents, analysis and other evidence of the discovery following the publication of an investigative report in Bloomberg Businessweek that detailed how China’s intelligence services had ordered subcontractors to plant malicious chips in Supermicro server motherboards over a two-year period ending in 2015.

Appleboum previously worked in the technology unit of the Israeli Army Intelligence Corps and is now co-chief executive officer of Sepio Systems in Gaithersburg, Maryland. His firm specializes in hardware security and was hired to scan several large data centers belonging to the telecommunications company. Bloomberg is not identifying the company due to Appleboum’s nondisclosure agreement with the client. Unusual communications from a Supermicro server and a subsequent physical inspection revealed an implant built into the server’s Ethernet connector, a component that’s used to attach network cables to the computer, Appleboum said.

The executive said he has seen similar manipulations of different vendors’ computer hardware made by contractors in China, not just products from Supermicro. “Supermicro is a victim — so is everyone else,” he said. Appleboum said his concern is that there are countless points in the supply chain in China where manipulations can be introduced, and deducing them can in many cases be impossible. “That’s the problem with the Chinese supply chain,” he said.


The more recent manipulation is different from the one described in the Bloomberg Businessweek report last week, but it shares key characteristics: They’re both designed to give attackers invisible access to data on a computer network in which the server is installed; and the alterations were found to have been made at the factory as the motherboard was being produced by a Supermicro subcontractor in China.

….

The manipulation of the Ethernet connector appeared to be similar to a method also used by the U.S. National Security Agency, details of which were leaked in 2013. In e-mails, Appleboum and his team refer to the implant as their “old friend,” because he said they had previously seen several variations in investigations of hardware made by other companies manufacturing in China.

In Bloomberg Businessweek’s report, one official said investigators found that the Chinese infiltration through Supermicro reached almost 30 companies, including Amazon.com Inc. and Apple Inc. Both Amazon and Apple also disputed the findings. The U.S. Department of Homeland Security said it has “no reason to doubt” the companies’ denials of Bloomberg Businessweek’s reporting.

People familiar with the federal investigation into the 2014-2015 attacks say that it is being led by the FBI’s cyber and counterintelligence teams, and that DHS may not have been involved. Counterintelligence investigations are among the FBI’s most closely held and few officials and agencies outside of those units are briefed on the existence of those investigations.

Appleboum said that he’s consulted with intelligence agencies outside the U.S. that have told him they’ve been tracking the manipulation of Supermicro hardware, and the hardware of other companies, for some time.
….
Hardware manipulation is extremely difficult to detect, which is why intelligence agencies invest billions of dollars in such sabotage. The U.S. is known to have extensive programs to seed technology heading to foreign countries with spy implants, based on revelations from former CIA employee Edward Snowden. But China appears to be aggressively deploying its own versions, which take advantage of the grip the country has over global technology manufacturing.

Three security experts who have analyzed foreign hardware implants for the U.S. Department of Defense confirmed that the way Sepio’s software detected the implant is sound. One of the few ways to identify suspicious hardware is by looking at the lowest levels of network traffic. Those include not only normal network transmissions, but also analog signals — such as power consumption — that can indicate the presence of a covert piece of hardware.

In the case of the telecommunications company, Sepio’s technology detected that the tampered Supermicro server actually appeared on the network as two devices in one. The legitimate server was communicating one way, and the implant another, but all the traffic appeared to be coming from the same trusted server, which allowed it to pass through security filters.

In other words – by passing the firewall

Appleboum said one key sign of the implant is that the manipulated Ethernet connector has metal sides instead of the usual plastic ones. The metal is necessary to diffuse heat from the chip hidden inside, which acts like a mini computer. “The module looks really innocent, high quality and ‘original’ but it was added as part of a supply chain attack,” he said.

The goal of hardware implants is to establish a covert staging area within sensitive networks, and that’s what Appleboum and his team concluded in this case. They decided it represented a serious security breach, along with multiple rogue electronics also detected on the network, and alerted the client’s security team in August, which then removed them for analysis. Once the implant was identified and the server removed, Sepio’s team was not able to perform further analysis on the chip.

The threat from hardware implants “is very real,” said Sean Kanuck, who until 2016 was the top cyber official inside the Office of the Director of National Intelligence. He’s now director of future conflict and cyber security for the International Institute for Strategic Studies in Washington. Hardware implants can give attackers power that software attacks don’t.

“Manufacturers that overlook this concern are ignoring a potentially serious problem,” Kanuck said. “Capable cyber actors — like the Chinese intelligence and security services — can access the IT supply chain at multiple points to create advanced and persistent subversions.”

One of the keys to any successful hardware attack is altering components that have an ample power supply to them, a daunting challenge the deeper into a motherboard you go. That’s why peripherals such as keyboards and mice are also perennial favorites for intelligence agencies to target, Appleboum said.

In the wake of Bloomberg’s reporting on the attack against Supermicro products, security experts say that teams around the world, from large banks and cloud computing providers to small research labs and startups, are analyzing their servers and other hardware for modifications, a stark change from normal practices. Their findings won’t necessarily be made public, since hardware manipulation is typically designed to access government and corporate secrets, rather than consumer data.

National security experts say a key problem is that, in a cybersecurity industry approaching $100 billion in revenue annually, very little of that has been spent on inspecting hardware for tampering. That’s allowed intelligence agencies around the world to work relatively unimpeded, with China holding a key advantage.

“For China, these efforts are all-encompassing,” said Tony Lawrence, CEO of VOR Technology, a Columbia, Maryland-based contractor to the intelligence community. “There is no way for us to identify the gravity or the size of these exploits — we don’t know until we find some. It could be all over the place — it could be anything coming out of China. The unknown is what gets you and that’s where we are now. We don’t know the level of exploits within our own systems.”

Trump’s axing of cyber czar role has left gaping holes in US defence

Damning report shows Uncle Sam falling behind

Quote

Is this stupid or deliberate? I mean, more lax security makes it easier for others to hack and influence US opinion and elections.

A cybersecurity czar has been a long-established presence in US government – until recently. Against a rising tide of attacks on the nation’s infrastructure and election systems, Donald Trump eliminated the post through an executive order in May.

As if to highlight the deficiency of such a move, just two months later the US Government Accountability Office (GAO) told politicians that Uncle Sam had failed to implement 1,000 cyber protection recommendations from a list of 3,000 made since 2010 that it said are “urgent to protect the nation”. Further, 31 out of a total of 35 more recent priority recommendations were also not acted upon. That testimony was released in a report (PDF) this month.

In the infosec arms race, this does not make comfortable reading, particularly since the US cybersecurity coordinator post has been axed.

Despite progress in some areas such as identifying (if not yet filling) gaps in cybersecurity skills, the GAO reckoned that the security holes have left federal agencies’ information and systems “increasingly susceptible to the multitude of cyber-related threats”.

It told the Office of the President, the US Congress and federal agencies of all stripes to shape up and take cybersecurity seriously.

These omissions include having a more comprehensive cybersecurity strategy, better oversight, maintaining a qualified cybersecurity workforce, addressing security weaknesses in federal systems and information and enhancement of incident response efforts.

Nick Marinos, director of cybersecurity and data protection issues, and Gregory C Wilshusen, director of information security issues, signed off September’s report with a stark warning:

Until our recommendations are addressed and actions are taken to address the challenges we identified, the federal government, the national critical infrastructure, and the personal information of US citizens will be increasingly susceptible to the multitude of cyber-related threats that exist.

The risks to IT systems supporting the federal government and the nation’s critical infrastructure are increasing as security threats continue to evolve and become more sophisticated. These risks include insider threats from witting or unwitting employees, escalating and emerging threats from around the globe, steady advances in the sophistication of attack technology, and the emergence of new and more destructive attacks.

The GAO also blasted the IT sector for compounding these risks: “IT systems are often riddled with security vulnerabilities – both known and unknown.”

The report said in 2017 more than 35,000 cybersecurity incidents at civilian agencies had been reported by the Office of Management and Budget to Congress. A breakdown of these figures revealed that 31 per cent of these attacks were listed as “other”, saying: “If an agency cannot identify the threat vector (or avenue of attack), it could be difficult for that agency to define more specific handling procedures to respond to the incident and take actions to minimize similar future attacks.”

Other incidences listed were improper usage (22 per cent), email/phishing (21 per cent), loss or theft of equipment (12 per cent), web site or web app origin based attacks (11 per cent).

Attacks cited include a March 2018 threat when the Mayor of Atlanta, Georgia, reported that the city was being victimised by a ransomware attack.

In March the Department of Justice indicted nine Iranians for conducting a “massive cyber security theft campaign” on behalf of the Islamic Revolutionary Guard Corps. That indictment alleged they stole more than 31TB of documents and data from more than 140 American universities, 30 US companies, and five federal government agencies.

The Russians were also called out for targeting critical systems in nuclear, energy, water and aviation.

But, of course, Trump is a little confused when it comes to Russia’s cyber-dabbling in the US.

You can argue the US government fell behind under the watch of the cyber czar and that action was needed, but that hardly necessitated the elimination of this central post.

The GAO testimony and this month’s report rightly questions whether the US was doing enough to protect its citizens and critical infrastructure. The answer seemed to be a “must try harder” – but that’s OK, because improvement can only come through such transparency and self-assessment.

Trump’s May decision and this report taken together suggest that if the West was already slipping behind in the cyber war, things can only get worse now that the supposed leader of the free world has deliberately, and carelessly, taken his eye off the ball on the home front.

Voting machine maker claims vote machine hack-fests a ‘green light’ for foreign hackers

But NSA code smacker says no, hackers perform a service

QUOTE

Voting machine maker ES&S says it did not cooperate with the Voting Village at hacking conference DEF CON because it worried the event posed a national security risk.

This is according to a letter the biz sent to four US senators in response to inquiries about why the manufacturer was dismissive of the show’s village and its warnings of wobbly security in some systems that officials use to record, tally, and report votes.

Among the vendors singled out was ES&S, sparking Senators Kamala Harris (D-CA), Mark Warner (D-VA), Susan Collins (R-ME) and James Lankford (R-OK) to express concern that ES&S wasn’t serious about security.

“We are disheartened that ES&S chose to dismiss these demonstrations as unrealistic nd that your company is not supportive of independent testing,” the senators wrote in their letter [PDF].

“We believe that independent testing is one of the most effective ways to understand and address potential cybersecurity risks.”

Open Amazon S3 buckets open online now: US election autodialers

Who are these idiots hiring for security? AWS plainly warns when a bucket is open.

Quote

Security biz Kromtech has unearthed two more embarrassing – and potentially dangerous – cases of groups leaving mass data caches unguarded on the public internet.

In the first case, the culprit was an improperly configured AWS S3 bucket owned and operated by Robocent, a political robocalling company based in Virginia Beach, VA.

According to Kromtech head of comms Bob Diachenko, the storage bucket contained 2,594 files, including the audio files to be used in robocalls to voters and spreadsheets containing hundreds of thousands of US voters’ contact details.

These records included voters’ names, addresses, year of birth, phone number, political affiliation, and demographic info such as ethnicity and education level, all pieces of data that would be valuable to use in a spear phishing or social engineering scam.

Unfortunately, Diachenko said, it gets worse. It appears other sites have already collected and indexed the exposed data.

“What’s more disturbing is that company’s self-titled bucket has been indexed by GrayhatWarfare, a searchable database where a current list of 48,623 open S3 buckets can be found,” Diachenko explained.

The second case exposed by Kromtech could land a few people behind bars, if convicted, of course.

Researchers uncovered an exposed mongoDB instance that contained both credit card numbers and payment details. A bit more digging lead the researchers to a dump of Facebook and stolen email account data and info from freemium games that offer in-app purchases through virtual currency.

Eventually, the researchers were able to piece together what was going on. The stolen credit cards were being combined with the lifted data to set up Apple IDs on hundreds of jailbroken iPhones that could then be automated to create user accounts on installations of the free-to-play games. The fake game accounts then purchased in-app currency for the games and were re-sold to other players for cryptocoins or real-world currency.

In other words, the scammers were using fake game accounts on jailbroken phones to launder money from the stolen payment cards via the freemium games, and the criminals operating the scam had left the entire operation wide open to the public by not securing the database.

Kromtech said it had reported all of its findings to the US Department of Justice so that a criminal investigation could be opened

Microsoft: The Kremlin’s hackers are already sniffing, probing around America’s 2018 elections

Why wouldn’t it be them?

QUOTE

Microsoft says it has already uncovered evidence of Russian government-backed hacking gangs attempting to interfere in the 2018 US mid-term elections.

“Earlier this year we did discover that a fake Microsoft domain had been established as the landing page for phishing attacks, and we saw metadata that suggested those phishing attacks were being directed at three candidates that were all standing for election this year,” Burt said.

“These are all people who, because of their positions, might be interesting targets from an espionage standpoint as well as an election disruption standpoint.”

Burt declined to name the candidates being targeted, citing Microsoft’s policy of preserving the anonymity of its clients. In the past, Fancy Bear largely focused its efforts on targeting computers belonging to the Democrats and Hillary Clinton’s campaign, and leaking the Dems’ internal emails in the hope of swinging the balance of Congress for the GOP, and the White House race for Donald Trump.
Redmond is a tool for Russia

Microsoft’s services play a prominent role in Fancy Bear’s meddling, Burt said. To help make its phishing pages more believable, the GRU-backed hacking crew often registers domains whose names resemble Microsoft services and then uses those to create fake login or download pages impersonating Redmond’s own. These pages can trick victims into installing malware, or handing over the usernames and passwords for their email inboxes and other sensitive accounts. Additionally, the domains are used for the command and control servers for data-harvesting spyware.

Because of that, Burt explained, Microsoft has made a habit of tracking the group, and using its legal team to have those domains seized and either shut down or handed over to Microsoft’s security team, who then use them to gather information about the inner-workings of the operation.

Burt said that, after two years of tracking the gang, Microsoft has become efficient enough that a new domain can be challenged and seized in as little as 24 to 48 hours. “The goal here is to say stop using Microsoft domain names,” Burt said. “If you keep using them, we are going to make it more costly for you.”

This is also why securing your Microsoft Office 365 accounts with multi-factor authentication is crucial, to help thwart password phishing attempts.

Burt’s comments also come as the US Department of Justice issued a report warning that attacks on the mid-term elections are all but assured. The report notes that the government has created a task force, including multiple agencies and states attorney generals, that will focus on detecting and prosecuting attempts to affect the outcome of the mid-term vote.

Security Court says NO to Kaspersky’s US govt computer ban appeal

QUOTE

A US district court has upheld the American government’s ban of Kaspersky Lab software from computers of federal agencies.

Judge Colleen Kollar-Kotelly, sitting in Washington, DC, issued a ruling Wednesday to dismiss the two lawsuits Kaspersky had filed against Uncle Sam and the Department of Homeland Security challenging both the September 2017 Binding Operative Directive (BOD 17-01) and the Congressional National Defense Authorization Act (NDAA), the two documents that blocked government agencies from using Kaspersky Lab’s products.

The Moscow-based Kaspersky saw its products blocked from US government use after it was implicated in a Russian government espionage operation that lifted top-secret NSA cyber-weapons from the Windows PC of a careless agency staffer.

Security Microsoft patches patch for Meltdown bug patch: Windows 7, Server 2008 rushed an emergency fix

Previously we reported that the latest Meltdown Patch broke networking in Win7 and Server 2008. Now, if you’re using Windows 7 or Server 2008 R2 and have applied Microsoft’s Meltdown patches, you’ll want to grab and install today’s (29-Mar 2018) out-of-band update for CVE-2018-1038 here.

We did this on a Win7 VM we have and it seemed to work and not break the network as the previous release did.

As the article concludes and one we follow here

In other words, Microsoft has just had to put out a patch for a patch for a patch. Hardly inspiring stuff, but we suppose the old Microsoft adage remains true – never trust a Redmond product until version three at the earliest. On the other hand, writing kernel-level memory management code is an absolute bastard at times, so you have to afford the devs some sympathy.

Full Article Follows

Quote

Microsoft today issued an emergency security update to correct a security update it issued earlier this month to correct a security update it issued in January and February.

In January and February, Redmond emitted fixes for Windows 7 and Server 2008 R2 machines to counter the Meltdown chip-level vulnerability in modern Intel x64 processors. Unfortunately, those patches blew a gaping hole in the operating systems: normal applications and logged-in users could now access and modify any part of physical RAM, and gain complete control over a box, with the updates installed.

Rather than stop programs and non-administrators from exploiting Meltdown to extract passwords and other secrets from protected kernel memory, the fixes on Windows 7 and Server 2008 R2 instead granted full read-write privileges to system RAM.

Roll on March, and Microsoft pushed out fixes on Patch Tuesday to correct those January and February updates to close the security vulnerability it accidentally opened.

Except that March update didn’t fully seal the deal: the bug remained in the kernel, and was exploitable by malicious software and users.
Total Meltdown

Now, if you’re using Windows 7 or Server 2008 R2 and have applied Microsoft’s Meltdown patches, you’ll want to grab and install today’s out-of-band update for CVE-2018-1038.

Swedish researcher Ulf Frisk discovered the January and February Meltdown mitigations for Win7 and Server 2008 R2 were broken, and went public with his findings once the March Patch Tuesday had kicked off. As it turns out, this month’s updates did not fully fix things, and Microsoft has had to scramble to remedy what was now a zero-day vulnerability in Windows 7 and Server 2008.

In other words, Microsoft has just had to put out a patch for a patch for a patch. Hardly inspiring stuff, but we suppose the old Microsoft adage remains true – never trust a Redmond product until version three at the earliest. On the other hand, writing kernel-level memory management code is an absolute bastard at times, so you have to afford the devs some sympathy.