Microsoft Says No More Windows Security Updates Unless AVs Set a Registry Key
Microsoft has added a new and very important detail on the support page describing incompatibilities between antivirus (AV) products and the recent Windows Meltdown and Spectre patches.
According to an update added this week, Microsoft says that Windows users will not receive the January 2018 Patch Tuesday security updates, or any subsequent Patch Tuesday security updates, unless the antivirus program they are using becomes compatible with the Windows Meltdown and Spectre patches.
The way antivirus programs become compatible is by updating their product and then adding a special registry key to the Windows Registry.
The presence of this registry key tells the Windows OS the AV product is compatible and will trigger the Windows Update that installs the Meltdown and Spectre patches that address critical flaws in the design of modern CPUs.
According to Microsoft’s latest policy changes, this registry key has now become a permanent check of the Windows Update process and will prevent all further updates, not just the Meltdown and Spectre patches.
The Redmond-based OS maker has asked antivirus companies to create this registry key because it detected during testing that some AV products caused Windows computers to enter a Blue Screen of Death (BSOD) error state that prevented subsequent boot-ups.
Security researcher Kevin Beaumont explained why this happens in a Medium blog post earlier today.
There is a problem where some anti-virus vendors are using techniques to bypass Kernel Patch Protection by injecting a hypervisor which they use to intercept syscalls and make assumptions about memory locations — memory locations which are now changing with the Meltdown fixes. To be honest, some of the techniques are similar to ones used by rootkits — Kernel Patch Protection was introduced by Microsoft a decade ago to combat rootkits, in fact. Because some anti-virus vendors are using very questionable techniques they end up cause systems to ‘blue screen of death’ — aka get into reboot loops