In an interesting new development, some anti-virus applications may be incompatible with the patches Microsoft has pushed in order to mitigate the Meltdown and Spectre vulnerabilities that were recently revealed. In a rather heavy-handed tactic in order to ensure compliance by anti-virus vendors, Microsoft will hold their users' PCs hostage, and block all future security updates until a specific registry setting is changed.
The company recently updated its notes for the recent security patches with the following proclamation:
"Customers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities unless their antivirus software vendor sets the following registry key."
If you're wondering why Microsoft is taking such an overbearing approach to the issue, the company explains later on in the article that some anti-virus vendors were found to be making 'unsupported calls into the kernel memory'.
The Meltdown and Spectre vulnerabilities exploit speculative execution in the processor to obtain privileged information from the kernel memory and the solution provided by Intel and Microsoft was to cordon off the kernel into its own isolated virtual memory address space. How this becomes a problem with the recent patches is due to the fact that some anti-virus software rely on using deep links into the kernel to keep tabs on the goings-on in the system.
Since the anti-virus can no longer freely access the kernel in the manner previously possible, the result is severe incompatibilities leading to system crashes (blue screen of death) and, in some cases, even a total failure to boot up.
In order to keep users from suffering these consequences, Microsoft is working with anti-virus providers to ensure their products are compatible, and then further confirming compatibility by requiring them to set the particular registry key in the manner it states.
Avast, AVG, BitDefender, Avira, ESET, F-Secure, Kaspersky, Malwarebytes, Sophos, and Symantec are among anti-virus vendors who are both compatible with the patches and have changed the registry key as per Microsoft's wishes. You can refer to security researcher Kevin Beaumont's list to both check if your anti-virus is compatible with the patches and if they've changed the registry key.
However, while some anti-virus suites have proven to be compatible with the patches, they may not have changed the registry key, leaving their users in the cold and unable to receive not only the January security update for CPU exploits but also all future security updates from Microsoft until the vendor complies and changes the registry key per Microsoft's guidelines.
Further complicating matters is the fact that some anti-virus software lacks the ability to change Windows registry keys, and adding those capabilities to the software may require some time. Others are requiring their users to manually make the changes themselves, which could be a dangerous procedure by itself if the user is not familiar with what they're doing.
Security researcher Graham Cluley said about the situation, "Microsoft is caught between a rock and a hard place on this one. The last thing they want to do is roll out an update that causes computers to crash. It's a painful decision, but if they can determine which computers don't appear to be running a ‘safe’ anti-virus program then they're probably right not to push out security updates to that PC."
Source: Microsoft via The Register, ZDNet
51 Comments - Add comment