Microsoft today released an emergency patch for a vulnerability in Windows 7 and Windows Server 2008. This was necessary after a security researcher discovered that a Meltdown-patch released in January this year, introduced a new and even bigger vulnerability.
The patch released in January should have protected Windows 7 and Windows Server 2008 systems against the Meltdown attack. Unfortunately the update introduced a new vulnerability that allowed any random process to read the entire system’s memory and to write data to it. Security researchers Ulf Frisk discovered the new issue and according to him the vulnerability is fairly easy to exploit.
Microsoft reports the vulnerability allowed a logged in attacker to use a specially crafted application to take control of an affected system. “An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft further explains.
Therefore, Microsoft decided to release an emergency patch outside it’s regular Patch Tuesday release-cycle. The software giant strongly advises users to install the update as soon as possible. Microsoft hasn’t discovered any attacks exploiting the vulnerability in the wild yet, but the company expects that’s only a matter of time.