Anti-Virus Updates Required Ahead of Microsoft’s Meltdown, Spectre Patches

Microsoft is pausing the rollout of Windows Meltdown and Spectre patches until hosted anti-virus software vendors confirms no unsupported Windows kernel calls via the addition of a registry key on PCs.

Microsoft said it is holding off delivering security updates to Windows PCs for Spectre and Meltdown CPU flaws until hosted anti-virus software confirms it does not make unsupported calls into Windows kernel memory.

Affected are PCs running certain AV products that bypass Windows built-in Kernel Patch Protection. According to Microsoft, unsupported calls bypass the Kernel Patch Protection and are incompatible with Microsoft’s latest patches released last week.

Microsoft is requiring affected AV vendors to add a registry key to the startup sequence certifying their software works with Microsoft’s patches. Microsoft’s Patch Tuesday security updates are scheduled to be release today.

“Customers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities unless their antivirus software vendor sets the following registry key,” Microsoft said in a Jan. 3 security bulletin.

Of the top 39 affected AV vendors, 22 have not confirmed they have added the registry key, according to a running list maintained by security researcher Kevin Beaumont. last updated Jan. 8. (see full list below)

Beaumont notes that many of the Microsoft patches put on hold include important security fixes, such as patches for SMB server.

“The main thing to know is the January patches, and currently all future security patches, will not install unless antivirus vendors take action — and some don’t want to or feel they cannot,” Beaumont wrote in a post Monday.

The problem, he describes, is that some anti-virus vendors are using a technique to bypass “Kernel Patch Protection by injecting a hypervisor which they use to intercept syscalls and make assumptions about memory locations — memory locations which are now changing with the Meltdown fixes.”

Microsoft said this has caused “unsupported applications” to fail.

“During testing, we discovered that some third-party applications have been making unsupported calls into Windows kernel memory that cause stop errors (also known as bluescreen errors) to occur,” Microsoft said.

Incompatible Microsoft updates have also impacted PCs running older Athlon AMD processors running Windows 10. Users have reported after installing Microsoft’s KB4056892 patch, their operating system freezes at startup just when the Windows logo is displayed.

Microsoft said in a support page: “After investigating, Microsoft has determined that some AMD chipsets do not conform to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown.”

As a result Microsoft put the rollout of Windows Meltdown and Spectre Patches for AMD Devices on ice.

Below is Beaumont’s running list of AV vendors that have confirmed adding Microsoft’s required registry key.

Suggested articles