Meltdown and Spectre was first disclosed in January by Google after companies had hidden it for months. The kernel-level flaw affects most Intel and AMB processors. The variants (Meltdown and Spectre) have been patched in several stages by Microsoft, and the company was among the first to patch Meltdown.
While Spectre was more problematic due to Intel’s faulty patch, it was thought the Meltdown fix was more straightforward. However, security researcher Alex Ionescu says Microsoft’s Meltdown patch for Windows has a “fatal flaw”.
Microsoft sent out the patch in January, among the first to react to Meltdown and Spectre. Unfortunately, Ionescu suggests there has been an underpinning problem with that patch. So much so, the mitigation has been pointless:
“Welp, it turns out the #Meltdown patches for Windows 10 had a fatal flaw: calling NtCallEnclave returned back to user space with the full kernel page table directory, completely undermining the mitigation.”
Perhaps the most interesting aspect here is that Microsoft has seemingly known about this problem. The company has been fixing it quietly behind closed doors. You may remember Intel and companies like Microsoft and Apple withheld Meltdown and Spectre from the public domain.
The tech giants wanted time to create mitigations, but that decision has been widely criticized. Microsoft would argue this was different. However, users believed they were protected against Meltdown when they actually weren’t.
Windows 10 April 2018 Update Fix
Whether your pissed about that or not, Microsoft has now fixed the issue. Windows 10 April 2018 Update appears to have a resolution to the problem. That means users upgrading to the latest Windows update will be protected.
That in itself presents two big problems:
- Windows 10 April 2018 Update launched this Monday and is only available for manual install. Most people update Windows through automatic updates, which begin next week. Even then, Microsoft is rolling out the update in stages. Many users will be waiting weeks and even months for the release and by association the Meltdown fix.
- At the moment, it seems Windows 10 April 2018 Update is the only Windows version that gets the “fatal flaw” fix. Meltdown and Spectre affected Intel chips going back generations, so many people are not running Windows 10. Indeed, even those on Windows 10 are on older versions. These will remains unprotected until Microsoft makes its fix more widely available.
Regarding the second point, Microsoft is reported to be working on fixing other Windows 10 versions. Patch Tuesday for May is coming next week, so we expect the company to at least confirm this problem and when a fix is coming.