Security Experts:

Meltdown Patch in Windows 10 Can Be Bypassed

A researcher has discovered that a mitigation implemented by Microsoft in Windows 10 for the Meltdown vulnerability can be bypassed. The tech giant says it’s working on an update.

According to Windows internals expert Alex Ionescu, a Meltdown mitigation in Windows 10 has what he describes as “a fatal flaw.”

“Calling NtCallEnclave returned back to user space with the full kernel page table directory, completely undermining the mitigation,” Ionescu wrote on Twitter.

Meltdown mitigation in Windows 10 bypassed

The researcher said Microsoft included a patch for this issue in the recently released Windows 10 version 1803, also known as April 2018 Update, Redstone 4 and RS4.

Microsoft told SecurityWeek that the company is working on providing an update for Windows 10 version 1790, also known as the Fall Creators Update, which appears to be the only version affected.

While the Meltdown mitigation bypass is interesting from a research perspective, exploitation requires local code execution privileges and the risk of malicious attacks is low.

The patches released by Microsoft for the Meltdown vulnerability have caused problems from day one. Shortly after the Meltdown and Spectre flaws were disclosed in early January, users started complaining that Microsoft’s updates had been causing Windows to break down on computers with AMD processors.

More recently, a researcher discovered that Meltdown mitigations for Windows 7 and Windows Server 2008 R2 introduced a serious privilege escalation vulnerability that may be worse than Meltdown.

Related: Microsoft Releases More Patches for Meltdown, Spectre

Related: Microsoft Releases More Microcode Patches for Spectre Flaw

Related: Windows Updates Deliver Intel's Spectre Microcode Patches

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.