KB4100480 out-of-band security update for Windows 7 and Server 2008 R2

KB4100480 is an out-of-band security update for the Microsoft operating systems Windows 7 and Windows Server 2008 R2 that “addresses an elevation of privilege vulnerability in the Windows kernel in the 64-Bit (x64) version of Windows”.

The vulnerability is documented under CVE-2018-1038, Windows Kernel Elevation of Privilege Vulnerability on Microsoft’s Security TechCenter website.

KB4100480 for Windows 7 and Windows Server 2008 R2

kb4100480 security update

Successful exploitation of the vulnerability gives an attacker full control over the system. Microsoft notes, however, that the issue requires local access to an unpatched computer system.

An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.

The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.

The update patches a security issue discovered earlier this month by security researcher Ulf Frisk who documented it on a GitHub page. The researcher discovered that Microsoft’s Meltdown patch, CVE-2017-5754, released on the January 2018 Microsoft patch day, changed the user/supervisor permission bit to user which made the page tables “available to user mode code in every process” whereas they should only be accessible by the kernel on Windows machines.

The support page for KB4100480 lists all updates that Microsoft released that caused the issue on systems running 64-bit versions of Windows 7 or Windows Server 2008 R2. Basically, any update released on January 3, 2018 or later is affected.

The update is available from Windows Update and Windows Server Update Service, and also as a standalone download from Microsoft’s Update Catalog.

Microsoft did not mention whether the new update fixes any of the known issues introduced in previous updates.

Now You: How do you handle Windows updates these days?