Microsoft usually only issues patches on the second Tuesday of every month (so-called “Patch Tuesday”). However, when there is a vulnerability that is being exploited in the wild (or is likely to be) Microsoft may issue an out of band patch. That’s exactly what happened yesterday. The vulnerability being patched was introduced when Microsoft patched Meltdown and Spectre in January. In that patch, Windows separates page tables between user space and kernel space to mitigate processor vulnerabilities (kernel page table isolation). But this apparently creates a new problem in Windows 7 and Server 2008R2.
The new vulnerability allows any user on the machine to read and write to the memory of any process, including the kernel. Ironically, this is worse than the original Meltdown vulnerability which only allowed attackers to read (but not write) arbitrary memory. In other words, the patch creates a problem worse than the original vulnerability the patch was written to solve.
There are no active exploits in the wild that we know of and this isn’t remotely exploitable. However, this is a very dangerous class of vulnerability because an attacker who successfully exploits it gains full system privileges. This is a nightmare scenario for any organization that puts most of their focus into constructing defenses to keep attackers out of a network (rather than balancing perimeter and internal network monitoring). With this exploit, once an attacker is in the network with any regular user account on a Windows 7 machine, they can elevate to full system privileges. From here, attackers can dump credentials and move laterally throughout the network.
If your internal network security monitoring isn’t top notch, this is definitely worth patching now (even though it is outside of the normal schedule). Some IT teams will claim patching this can wait. Microsoft didn’t think so or they wouldn’t have released the patch out of band. In Rendition’s experience with red team engagements, getting in is easy (someone always opens the attachment). What’s harder in most cases is elevating privileges on that first machine. This vulnerability will allow attackers to do that with ease. Even if you opt not to patch the entire environment out of band, pay special attention to application servers and RDP servers that are running Windows Server 2008R2. Typically these servers allow many users to log in with limited privileges. This sets the stage for any one (or more) of these users to take full control of the server, allowing them to see the data being processed by all other users on the server.
If you think you may have already been compromised by this (or any other) vulnerability, it is highly recommended that you conduct threat hunting in your network to discover attackers that may have bypassed your perimeter defenses.