Windows 7 update

Microsoft issued today an out-of-band security update for 64-bit versions of Windows 7 and Windows Server 2008 R2.

The security update —KB4100480— addresses a security bug discovered by a Swedish security expert earlier this week.

The bug was caused by a patch meant to fix the Meltdown vulnerability but accidentally opened the kernel memory wide open.

According to Ulf Frisk, Microsoft's January 2018 Meltdown patch (for CVE-2017-5754) allowed any app to extract or write content from/to the kernel memory. This all happened because the Meltdown patch accidentally flipped a bit that controlled access permissions to kernel memory.

Frisk said that the March Patch Tuesday appears to have "fixed" the issue, as he was not able to interact with kernel memory.

But today, Microsoft released KB4100480 to make sure the vulnerability was closed for good. The accidental bit flip bug now has its own CVE identifier of  CVE-2018-1038.

The flaw is not remotely exploitable, and attackers need either physical access to a PC, or they need to infect the PC with malware beforehand.

Besides KB4100480, Microsoft released another out-of-band security update last Friday, March 23. KB3203399 resolved a vulnerability (CVE-2017-8551) in Microsoft Office that could lead to remote code execution and was meant for Microsoft Project Server 2013 Service Pack 1 users only.

Related Articles:

Microsoft Released the Windows 7 & 8.1 KB4343901 & KB4343898 Cumulative Updates

Microsoft August 2018 Patch Tuesday Fixes 60 Security Flaws, Including Two Zero-Days

Windows Systems Vulnerable to FragmentSmack, 90s-Like DoS Bug

Microsoft September 2018 Patch Tuesday Fixes 16 Critical Vulnerabilities

Microsoft Releases Windows 7 & 8.1 Cumulative Updates KB4457144 & KB4457129