Slashdot Mirror
Microsoft Says No More Windows Security Updates Unless AVs Set a Registry Key (bleepingcomputer.com)
Catalin Cimpanu, reporting for BleepingComputer: Microsoft has added a new and very important detail on the support page describing incompatibilities between antivirus (AV) products and the recent Windows Meltdown and Spectre patches. According to an update added this week, Microsoft says that Windows users will not receive the January 2018 Patch Tuesday security updates, or any subsequent Patch Tuesday security updates, unless the antivirus program they are using becomes compatible with the Windows Meltdown and Spectre patches. The way antivirus programs become compatible is by updating their product and then adding a special registry key to the Windows Registry. The presence of this registry key tells the Windows OS the AV product is compatible and will trigger the Windows Update that installs the Meltdown and Spectre patches that address critical flaws in the design of modern CPUs.
Now windows malware will mess with that key to stop updates
Microsoft finally comes up with a way for the user to potentially have some level of control over their patches. All you have to do is mess around with a registry key and forgo all patches altogether. People have been demanding to have some level of control and this is what Microsoft comes up with...
oh happy days are here, microsoft has blessed us with a way to stop evil forced updates. thanks microsoft!
Remember,
For Windows Server, you will need to also set the following three registry keys to enable post patch install. With Windows Home/pro, it's already enabled after installation.
For Windows Server.
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f
To Validate status, you can run the PowerShell command Get-SpeculationControlSettings.
If Windows 10 or Server 2016, you can skip the first step.
1. Set-ExecutionPolicy Bypass
2. Install-Module SpeculationControl
3. Get-SpeculationControlSettings
You will now see results.
4. Set-ExecutionPolicy Restricted (to protect the system via securing powershell again)
Good luck. Be sure to apply BIOS updates when and if applicable to stave off Spectre
Life is not for the lazy.
That's being responsible.
Who runs AV's anyway?
What's an antivirus product?
Call me crazy, but I don't want to spend money on a subscription. I practice safe web.
Considering that some Antivirus programs are using undocumented API's and aren't compatible with the Windows Meltdown patch, this isn't really a bad idea. This isn't a great idea, but it's better than your system getting stuck in a crash/reboot loop after installing the patch. I hope that they throw up a warning to the end user to update your damn antivirus software as well, and then make the registry key go away once it is.
I also hope that they just use this as a temporary fix, or hackers will use this registry key to prevent their botnets from getting patched as well.
It pains me to side with Microsoft but their decision here is a good and legitimate one.
The key to it's legitimacy is this quote:
There is a problem where some anti-virus vendors are using techniques to bypass Kernel Patch Protection by injecting a hypervisor which they use to intercept syscalls and make assumptions about memory locations — memory locations which are now changing with the Meltdown fixes.
Anons need not reply. Questions end with a question mark.
So we finally got an easy way to disable automatic updates on Windows 10 ?
If malware already has access to the registry it doesn't matter whether you're getting updates or not.
I came to say exactly this. I have no idea how they are going to protect it from a program that acquires root (Admin) privileges somehow. A Malware program that installs itself, has these kind of rights.
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
Apparently This is a temporary solution according to Microsoft.
https://support.microsoft.com/...
Q3: How long will Microsoft require setting a registry key to receive the January 3, 2018, security updates?
A3: Microsoft added this requirement to ensure customers can successfully install the January 2018 security updates. Microsoft will continue to enforce this requirement until there is high confidence that the majority of customers will not encounter device crashes after installing the security updates.
In Soviet Russia, Trojan exploits YOU!
Personally I use Defender and before that Security Essentials. Just to avoid the mess of third party security suites who for a while now can't seem to get along with Windows anymore. Hard to believe Microsoft is not informing them that a update is coming, or that these companies don't realize updates come every month. For myself, they just add another layer of muck that I don't need to worry they won't get updates out in time. Besides, why should I pay a subscription for something that breaks my Windows updates?
this was known on the weekend, when I did a couple windows boxes and the windows partition on my AMD II laptop (which went fine by the way, however even if you get BSOD you can go into repair mode and uninstall the KB)
So I've known about this for 3 days and I'm a freakin Linux desktop user at home and mac pro user at work!
So what happens if I don't install any AV-product and also don't use the Microsoft AV-Solution?
Since nothing could set the RegKey, I also don't get updates?
An easy way to stop Windows Updates!
So the better solution is to let the AV trash the OS so the user gets a BSOD on reboot? The reason they are requiring this is because if the AV isn't patched it trashes the update and leaves the OS unbootable. I'm sure once the majority of AVs push out a patch (which lets be honest an AV that doesn't push out some updates to deal with Meltdown is a truly shit AV) they will simply remove this requirement from the patch.
ACs don't waste your time replying, your posts are never seen by me.
AV software acts as malware :)
You have bigger problems than a registry key if the malware has root.
All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
I don't update my anti-virus software because new versions are bloated and pop-up heavy. I only update the virus database. So on all those PCs out there with older AV software that doesn't automatically update, or is intentionally not updated, these super-critical Microsoft OS patches are going to be skipped. Silently. Great strategy Microsoft.
True enough.
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
Point is: This key doesn't require admin rights to be set.
User rights are enough.
Too bad this didn't exist prior to Microsoft shoving Windows 10 down everyone's throats .... Could have saved BOTH sides headaches and reputation...
So there's a patch that virtually EVERY computer in the world needs to install, and certain AV programs are detecting as malware. What EXACTLY are in these patches, and besides remaining vulnerable to a "never seen in the wild exploit" for which widespread infection is highly speculative, from the papers describing Spectre & Meltdown currently available , what are the impacts of NOT patching?
I'm reading about a 1-30% decrease in performance depending on what the machine is doing. Also some AMD devices becoming un-bootable.
If I had a tinfoil hat, I might wonder if this was a remote monitor or control function being added to every computer in the world. Where can I get DETAILED descriptions of the total content of the patches, and exactly what each part of the patch does?
(Not: "Fixes vulnerability", but actual details of why each change is required, and its exact effects on the system)
Now I can finally stop Windows forced updates!!
If the malware is already installed, then its in their interest to ensure your system gets updates so it's less likely to get infected by any competing malware...
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Once a machine has a root kit installed , the game is lost. You can't remove rooted malware from the same machine. You might be able to clean the disk from a different machine, maybe, if it's low-rent malware. Of course, the Snowden leaks included NSA malware that lives in the BIOS of the drive, so it might just root the second system. Thanks NSA.
Socialism: a lie told by totalitarians and believed by fools.
Microsoft finally provide method for stopping updates in Windows 10 an returns control to users
Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”
Create key, change value to zero, lock key -> no more updates.
There is no proof of this in the Wild.
This is shit based research proving a flaw that has existed for decades that needs local code to be up and running.
I will not cut off three toes because YOU have decided I will stub my toe on a table that isn't there yet and that
I will resist buying.
If malware can set this reg key - your machine is already done (its only writable by system/admin).
It seems a legitimate question: I've somehow managed to live through the last thirty years without _ever_ getting an infection - well, at least none that was detected by Norton, Avira, MSE, Checkpoint, or Antimalwarebytes, all of which I used at one time or another. Living without antivirus, then, seems quite well possible. Would I really have to go and set a registry key myself just to get updates again?
Comment removed based on user account deletion
Damn that's gonna make it hard to get the Linux ladies now.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
I updated my Win 7 installation with the newest security patch, but what do I read in the following support document?
Nothing indicates that KB4056894 has anything to do with the "Meltdown" and "Spectre" vulnerabilities. I have to read about KB4056894 in other people's articles which I can't trust just like that.
https://support.microsoft.com/en-us/help/4056894/windows-7-update-kb4056894
What am I missing here? I still do not know if I have received an update that prevents any freaking guy to end up reading my passwords from my memory.
You can actually make a case that a lot of security/antivirus products rather than protecting from malware, are actually malware.
They
1) Cause other programs to stop working or even the OS not to start
2) Run with very high privilege levels
3) Are unnecessarily hard to remove
4) Disable Windows Defender
5) Often mess with Windows Update.
It's like this sad tale of becoming what you most fear and are trying to stop.
.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
Yes.
Because it doesn't put blame or liability on MS l, but it is also a better technical solution. If your scenario happens, they reboot into safe more/repair and remove the AV product at fault.
90% of the difficulty in tech is finding the culprit. MS saves us that step.
You missed one nasty feature of an AV.
AV are tapping your browser and becomes a MITM during your SSL/TLS web transactions.
Almost all AV have browser plugins that does just this.
Not correct, since the key is HKEY_LOCAL_MACHINE that means it requires admin powers before you can modify it.
... Going forward the end user (or whatever malware on their machine) can permanently disable windows updates by setting registry security to prevent such a key from getting created in the first place?
True.
And come to think if it, most AV software was installed by a third party - the PC manufacturer or someone who 'repaired' the machine. It starts off relatively unobtrusive and after a few months it demands a credit card to stay updated. With dire warnings about the consequences of not staying updated.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
I had to buy the more expensive retail version of windows 7 a while ago, because Microsoft decided that OEM builders could no longer use the OEM version if you actually want to use the computer that you build yourself. The motherboard and CPU developed problems so I had to replace them, which was perfectly within the licence of the Retail version of Windows 7. .NET updates so Autocad will install. (These are high-end purpose-build company CAD workstations. Note that we would need to buy retail versions of Windows before we could even begin to think about volume licensing because volume licences are upgrades only, and we are not allowed to start with an OEM licence.)
This week I had a lot of warning about my CPU not being supported, and my windows updates would not work. I spend a long time scanning for viruses and eventually re-installing everything, and ended up with the same errors. Turns out that it was not a virus, Microsoft was actually blocking security updates because my CPU is suddenly to "new" for Windows 7, and recommends to upgrade to Windows 10. (which would then be locked to that hardware, unlike the Windows 7 I already have, not even considering that I don't want or need Windows 10, all my hardware is supported under Windows 7 and I can live without the telemetry and build-in adds.
So I'm now installing the open-source wufuc driver to hack myself into a working windows update so I can install security updates for this POS OS and
I'm sure that everyone with a pirated Windows 7 will still receive security updates and and get exactly the same quality support from Microsoft That we have enjoyed.
We currently have moved _ALL_ of our company servers to Linux (except a licence server, running Windows 7 Home), and if we get even more shit from Microsoft we are planning to replace Autocad on Windows with Rhino on mac on all the desktops. Microsoft is currently our biggest risk in meeting our deadlines and I could get a very decent budget signed of in seconds if I could find a way to get rid of it.
Windows is the malware
I thought Windows was THE malware.
Disabling is for pussies. Delete the files after disabling them. Delete also any abilities of Windows to install the files again.
Then it won't be able to use the services even if it wants to. And if Windows does not work after deleting them, well, that's a proof Windows is lying about them being disabled.
Now that is insanity.
Perhaps you are correct for state level zero-day exploits seeking to avoid detection.
However, typical malware is not usually so discreet. Windows Updates provides remediation and protection against malware, limiting or eliminating existing infections. Typical victims of malware are usually less technically savvy, and thus would not be able to repair a machine themselves, nor would notice that Windows Updates was not working. So it depends on the target and the payload.
What if you don't run AV SW -- so of course the key isn't set. Seems like this is another case of MS withholding updates to "encourage" (or discourage) various behaviors.
Remember MS claimed it wouldn't update Win7 for those who update their CPU. I wonder if that will change due to the Intel CPU security bugs?