Microsoft: Even after Meltdown, Windows patches won’t install if your antivirus isn't fully compatible

  • Liam Tung (CSO Online)
  • 10 January, 2018 00:43

Windows customers won't be able to install any future security updates if a non-Microsoft antivirus vendor hasn't set a certain registry key that signals compatibility with its updates. 

Along with the Windows security updates for the Meltdown and Spectre attacks, Microsoft rolled out a new requirement for all third-party antivirus vendors to set a registry key in their products. Without the key being set, the security update simply won’t install. 

While testing its patches for the two attacks, which affect most modern CPUs, Microsoft discovered some antivirus software were making “unsupported calls into Windows kernel memory”. These calls cause Blue Screen of Death (BSOD) errors, so Microsoft is attempting to eradicate that technique by having vendors certify their products play nicely with Microsoft’s CPU and kernel fixes. 

It originally appeared the requirement was limited to the January 2018 security updates, however Microsoft has now clarified that customers will not receive any future security updates unless antivirus vendors set the registry key in their products. 

“Customers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities unless their antivirus software vendor sets the following registry key”, the updated support page notes.  

Security researcher Kevin Beaumont, who has been tracking which antivirus products are compatible with Microsoft’s CPU update, notes that Microsoft’s registry key certification process is a justified response to badly behaving antivirus, but its solution is problematic on a number of levels, not least because it may result in a lot of Windows machines not being patched.

As Beaumont notes, Microsoft’s certification process aims to prevent antivirus vendors bypassing Microsoft’s Kernel Patch Protection by injecting a hypervisor to intercept system calls to memory locations that Microsoft has now changed to thwart the Meltdown attack. 

“To be honest, some of the techniques are similar to ones used by rootkits — Kernel Patch Protection was introduced by Microsoft a decade ago to combat rootkits, in fact,” Beaumont  explained in a blogpost

“Because some anti-virus vendors are using very questionable techniques they end up cause systems to ‘blue screen of death’ — aka get into reboot loops. This shouldn’t be possible in the latest operating systems, but some anti-virus vendors have managed it by taking themselves into the hypervisor — or “hardware assisted” as you’ll sometimes read in marketing material. Anti-Virus makers really shouldn’t be messing with systems like this.”

While Microsoft can steer antivirus vendors away from bad behavior, it may leave customers exposed to future vulnerabilities since its certification program now extends beyond the January update. Additionally, the January update included fixes for more than Meltdown and Spectre attacks, none of which are installed for systems that are using antivirus that is either non-compliant or has not set the desired registry key. 

The second major problem centers on so-called next-gen security products from the likes of FireEye, Cylance, Palo Alto, and CrowdStrike. Most traditional antivirus providers such as Kaspersky, AVG, AVAST, and ESET have checked both requirements, however next-gen providers have only confirmed compatibility with Microsoft’s fix, and largely missing the registry key update. 

The apparent reluctance to set the registry key stems from next-gen providers previously selling their software as an additional to legacy antivirus. Now, however, many next-gen providers are selling their products as the sole antivirus software. With that shift to the role of main provider, next-gen products like Palo Alto Networks’ TRAPS and FireEye’s Endpoint Protection have started to register with the Microsoft Security Center, just like traditional AV software products, which allows for notifications and alerts through the Windows Action Center. 

Microsoft’s registry key restrictions are only applicable to products registered with the Microsoft Security Center. Next-gen providers fear if they set the registry key, as Microsoft recommends, they’ll trigger a BSOD errors on customer machines with another AV that's running and registered with Microsoft Security Center. 

On top of the mess with antivirus that Meltdown and Spectre are causing, Microsoft's Windows 10 and Windows 7 updates also caused glitches with some AMD systems. 

Microsoft on Tuesday halted its Windows update for on AMD systems, explaining that " some AMD chipsets do not conform to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown."

Microsoft is pausing the following updates: 

January 3, 2018—KB4056897 (Security-only update)
January 9, 2018—KB4056894 (Monthly Rollup)
January 3, 2018—KB4056888 (OS Build 10586.1356)
January 3, 2018—KB4056892 (OS Build 16299.192)
January 3, 2018—KB4056891 (OS Build 15063.850)
January 3, 2018—KB4056890 (OS Build 14393.2007)
January 3, 2018—KB4056898 (Security-only update)
January 3, 2018—KB4056893 (OS Build 10240.17735)
January 9, 2018—KB4056895 (Monthly Rollup)