You’re security conscious. You’re aware of the threats. You like to run a tight ship.
You install the latest security patches, and – of course – you run an up-to-date anti-virus.
Well, things just got a heck lot more complicated for users of some anti-virus programs.
That’s because Microsoft has said that customers who are running certain anti-virus products will not receive its bundle of January 2018 security patches (including mitigations against the Spectre and Meltdown CPU flaws) unless their products certify that they don’t make unsupported calls into Windows kernel memory.
According to Redmond, some security products jump through some hoops and perform double somersaults to bypass the Kernel Patch Protection built into the operating system. And unfortunately, those techniques, are incompatible with Microsoft’s latest patches – and cause computers to blue screen.
So, Microsoft is demanding that anti-virus products certify that their software work with its fixes by adding a registry key every time they startup.
The message from Microsoft is fairly blunt:
Customers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities unless their antivirus software vendor sets the following registry key
To be fair, Microsoft is caught between a rock and a hard place on this one. The last thing they want to do is roll out an update that causes computers to crash. It’s a painful decision, but if they can determine which computers don’t appear to be running a “safe” anti-virus program then they’re probably right not to push out security updates to that PC.
Anti-virus vendors have little choice. They will have to fix their products to fall into line, as customers won’t be satisfied with being blocked from receiving Microsoft security updates.
As always, care will need to be taken by security vendors that any fixes are made properly so as not to introduce other unintended problems.
More details of the issue can be found in this blog post by researcher Kevin Beaumont, including a link to a spreadsheet he is maintaining of which anti-virus products are setting the Registry key.
Now then, I wonder how long it will be until we see bad guys toggling the Registry key to stop PCs receiving security updates?
For more discussion on this topic, be sure to listen to this episode of the Smashing Security podcast:
Smashing Security #060: 'Meltdown, Spectre, and personal devices in the White House'
Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...
"Now then, I wonder how long it will be until we see bad guys toggling the Registry key to stop PCs receiving security updates?"
Grahame, I would suggest that if bad guys are already messing around in HKLM then you probably have bigger problems!
Editing these registry keys in a vulnerable pc would just be one more way to keep your malware persistent and silently keep this pc unpatched.
Meawhile …………..?
I noticed that Comodo Internet Security, which I have installed on my HP Windows computer isn't on the spreadsheet sheet list to be sent a Registry Key. Does that mean it's compatible with the new updates?
All that we can infer is that the guy maintaining the spreadsheet hasn't created an entry for Comodo.
I would recommend contacting Comodo technical support to discover what their status is.
Hi Graham,
Thank you for ur reply, that helped a lot! ????
If no antivirus, Microsoft will not upgrade ? Or Microsoft needs an antivirus from eligible editors to upgrade ?
It's like a flag. If your antivirus doesn't cause any issues( Blue screen of death ) then you get an OK flag ( register value ) and Microsoft servers will eventually recognize and download the update.
My Windows 7 system uses an AMD Sempron 3000 64-bit processor. The quality compatibility registry entry (protected by security policy) is present but there is still no January 2018 update of any kind. I expect 3 separate updates: the main security rollup, a .NET security and quality rollup and good old KB890830. Only two (I guess) components are intended to fix the Meltdown/Spectre issue. There are probably other unconnected critical updates but are they really affected by the kernel updates required for the processor bug fix?