Instead of fixing things, the patch Microsoft released for the Meltdown bug as part of the January 2018 Patch Tuesday – CVE-2017-5754 – caused further issues on Windows 7. The faulty patch allows user-level apps to read content from the kernel of the operating system. It even allows these apps to write data to the kernel memory, researchers say.
CVE-2017-5754 Official Description
Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.
The issue was discovered by Sweidish expert Ulf Frisk while he was working on a specific device for carrying out Direct Memory Access attacks and dumping protected OS memory. The device is called PSILeech and is available on
According to the researcher, the CVE-2017-5754 patch flipped a bit that controls the access permission for kernel memory. This is what the researcher explained in a blog post:
In short – the User/Supervisor permission bit was set to User in the PML4 self-referencing entry. This made the page tables available to user mode code in every process. The page tables should normally only be accessible by the kernel itself. The PML4 is the base of the 4-level in-memory page table hierarchy that the CPU Memory Management Unit (MMU) uses to translate the virtual addresses of a process into physical memory addresses in RAM.
Is the CVE-2017-5754-Induced Issue Fixed?
Apparently, Microsoft went ahead and fixed the bug within the bug fix in March 2018 Patch Tuesday. Please note that the issue only affected the 64-bit versions of Windows 7 and Windows Server 2008 R2, according to Frisk. The bug was fixed by flipping the PML4 permission bit back to its original value.
If you’re a Windows 7 user, please make sure you have installed the January batch of fixes as well as the March Patch Tuesday.