Microsoft has added a new and very important detail on the support page describing incompatibilities between antivirus (AV) products and the recent Windows Meltdown and Spectre patches.
According to an update added this week, Microsoft says that Windows users will not receive the January 2018 Patch Tuesday security updates, or any subsequent Patch Tuesday security updates, unless the antivirus program they are using becomes compatible with the Windows Meltdown and Spectre patches.
The way antivirus programs become compatible is by updating their product and then adding a special registry key to the Windows Registry.
The presence of this registry key tells the Windows OS the AV product is compatible and will trigger the Windows Update that installs the Meltdown and Spectre patches that address critical flaws in the design of modern CPUs.
According to Microsoft's latest policy changes, this registry key has now become a permanent check of the Windows Update process and will prevent all further updates, not just the Meltdown and Spectre patches.
The Redmond-based OS maker has asked antivirus companies to create this registry key because it detected during testing that some AV products caused Windows computers to enter a Blue Screen of Death (BSOD) error state that prevented subsequent boot-ups.
Security researcher Kevin Beaumont explained why this happens in a Medium blog post earlier today.
There is a problem where some anti-virus vendors are using techniques to bypass Kernel Patch Protection by injecting a hypervisor which they use to intercept syscalls and make assumptions about memory locations — memory locations which are now changing with the Meltdown fixes. To be honest, some of the techniques are similar to ones used by rootkits — Kernel Patch Protection was introduced by Microsoft a decade ago to combat rootkits, in fact. Because some anti-virus vendors are using very questionable techniques they end up cause systems to ‘blue screen of death’ — aka get into reboot loops.
The Meltdown and Spectre vulnerabilities highlighted a fundamental flaw in the design of modern processors. The fixes that Microsoft deployed last week are producing a similar impact on how antivirus software now interacts with the Windows OS.
Windows users who do not use an antivirus or who use Windows Defender can update right now, as they are not subject to the registry key requirement. The only ones affected are those using custom, third-party antivirus solutions.
The vast majority of AV vendors have updated their products to support the Meltdown and Spectre patches, but some vendors require users to set up the registry key by hand.
According to Beaumont, this happens because some AV companies are aware that some of their customers are running their products alongside other AV software. Due to this, they don't want to accidentally cause BSODs by setting the registry key while the other AV wasn't updated for the Meltdown and Spectre patches.
In other words, it's a mess!
Beaumont has been keeping track of antivirus products that create the registry key, AV products that ask users to create the registry key manually, and antivirus software that has not yet received updates and is currently incompatible with the Windows Meltdown and Spectre patches.
It's Bleeping Computer's belief that a large part of the Windows userbase is probably not affected by this "registry key requirement."
But if in the following months users should notice that their Windows computer is not receiving any security updates, the first place they need to look at is their antivirus.
They should also take a look over Beaumont's list and make sure their current antivirus is compatible with the Meltdown and Spectre patches to be safe.
By stopping all Windows security updates until antivirus products or users set the registry key, Microsoft is basically saying two things: (1) users either choose to stop receiving Windows security updates and stay with their current antivirus or (2) they ditch their current incompatible antivirus for one that supports the crucial fixes for Meltdown and Spectre.
Users shouldn't hurry to drop their current antivirus just yet. In statements last week, Microsoft said that antivirus companies might take a while before releasing updates and advised users to have patience. The updates are very complex and not your typical one-line source code fixes.
The registry key that antivirus products need to set up is the following:
Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”
Bleeping Computer has created a .reg file that users can double-click and create the registry on their PC. Users can use this file if their antivirus vendor has told them they need to manually install the registry key. More info on updating Windows computers with the Meltdown and Spectre patches are available here.
Image credits: Jay Hilgert, Microsoft, Bleeping Computer