Slashdot Mirror
Microsoft Says No More Windows Security Updates Unless AVs Set a Registry Key (bleepingcomputer.com)
Catalin Cimpanu, reporting for BleepingComputer: Microsoft has added a new and very important detail on the support page describing incompatibilities between antivirus (AV) products and the recent Windows Meltdown and Spectre patches. According to an update added this week, Microsoft says that Windows users will not receive the January 2018 Patch Tuesday security updates, or any subsequent Patch Tuesday security updates, unless the antivirus program they are using becomes compatible with the Windows Meltdown and Spectre patches. The way antivirus programs become compatible is by updating their product and then adding a special registry key to the Windows Registry. The presence of this registry key tells the Windows OS the AV product is compatible and will trigger the Windows Update that installs the Meltdown and Spectre patches that address critical flaws in the design of modern CPUs.
Now windows malware will mess with that key to stop updates
Microsoft finally comes up with a way for the user to potentially have some level of control over their patches. All you have to do is mess around with a registry key and forgo all patches altogether. People have been demanding to have some level of control and this is what Microsoft comes up with...
Remember,
For Windows Server, you will need to also set the following three registry keys to enable post patch install. With Windows Home/pro, it's already enabled after installation.
For Windows Server.
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f
To Validate status, you can run the PowerShell command Get-SpeculationControlSettings.
If Windows 10 or Server 2016, you can skip the first step.
1. Set-ExecutionPolicy Bypass
2. Install-Module SpeculationControl
3. Get-SpeculationControlSettings
You will now see results.
4. Set-ExecutionPolicy Restricted (to protect the system via securing powershell again)
Good luck. Be sure to apply BIOS updates when and if applicable to stave off Spectre
Life is not for the lazy.
Who runs AV's anyway?
Call me crazy, but I don't want to spend money on a subscription. I practice safe web.
Considering that some Antivirus programs are using undocumented API's and aren't compatible with the Windows Meltdown patch, this isn't really a bad idea. This isn't a great idea, but it's better than your system getting stuck in a crash/reboot loop after installing the patch. I hope that they throw up a warning to the end user to update your damn antivirus software as well, and then make the registry key go away once it is.
I also hope that they just use this as a temporary fix, or hackers will use this registry key to prevent their botnets from getting patched as well.
Checkout ClamAV
It pains me to side with Microsoft but their decision here is a good and legitimate one.
The key to it's legitimacy is this quote:
There is a problem where some anti-virus vendors are using techniques to bypass Kernel Patch Protection by injecting a hypervisor which they use to intercept syscalls and make assumptions about memory locations — memory locations which are now changing with the Meltdown fixes.
Anons need not reply. Questions end with a question mark.
So we finally got an easy way to disable automatic updates on Windows 10 ?
I came to say exactly this. I have no idea how they are going to protect it from a program that acquires root (Admin) privileges somehow. A Malware program that installs itself, has these kind of rights.
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
Apparently This is a temporary solution according to Microsoft.
https://support.microsoft.com/...
Q3: How long will Microsoft require setting a registry key to receive the January 3, 2018, security updates?
A3: Microsoft added this requirement to ensure customers can successfully install the January 2018 security updates. Microsoft will continue to enforce this requirement until there is high confidence that the majority of customers will not encounter device crashes after installing the security updates.
In Soviet Russia, Trojan exploits YOU!
this was known on the weekend, when I did a couple windows boxes and the windows partition on my AMD II laptop (which went fine by the way, however even if you get BSOD you can go into repair mode and uninstall the KB)
So I've known about this for 3 days and I'm a freakin Linux desktop user at home and mac pro user at work!
So what happens if I don't install any AV-product and also don't use the Microsoft AV-Solution?
Since nothing could set the RegKey, I also don't get updates?
So the better solution is to let the AV trash the OS so the user gets a BSOD on reboot? The reason they are requiring this is because if the AV isn't patched it trashes the update and leaves the OS unbootable. I'm sure once the majority of AVs push out a patch (which lets be honest an AV that doesn't push out some updates to deal with Meltdown is a truly shit AV) they will simply remove this requirement from the patch.
ACs don't waste your time replying, your posts are never seen by me.
I think this is a move on Microsoft's part to be a little more adult than they have been in the past, and give these third party software vendors a bit more time to work around a change that would completely disable their software, if not the whole computer, due to hackery involved in how these AV softwares work.
Past Microsoft would have just chucked the patch out saying "important security update available! Install now!" and then act with total indifference when your OS load is left as a twisted flaming wreck, and blame the AV vendor. Present Microsoft seems to actually give a shit about not bombing millions of PCs just because of a knee-jerk reaction to a legitimate security vulnerability with no known exploits.
I think I like Present Microsoft a lot better than Past Microsoft. I still dislike Windows, though 10 is far better than the abomination that was Windows 8.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
Why not just give Microsoft the keys to your life? "Defender" is just an NSA doccument scanner.
Past Microsoft would have just chucked the patch out saying "important security update available! Install now!" and then act with total indifference when your OS load is left as a twisted flaming wreck, and blame the AV vendor
Who did they blame when updating to Windows 10 did this? I don't think it was the AV vendor, but it certainly wasn't themselves.
You have bigger problems than a registry key if the malware has root.
All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
True enough.
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
sudo yes > /dev/hda
Nope, first of all /dev/hda won't exist, we moved on to sda and mmcblk a good decade ago. But more importantly the sudo applies to the yes command, not to the redirect, so all you are doing is running 'yes' as root and then trying to write to the dev as an ordinary user.
Smells like Vendor lock-in to me.
~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
Today's hardware is very fast. AV products are computer programs that make your computer go slower so that the user can keep up with the interface, and also to keep the hardware from going unsafely fast, which can result in a crash if the user reaction time is too delayed.
Linus doesn't have these softwares, because open sores programmers aren't smart enough to figure out how to make it work.
"Believe me!" -- Donald Trump
How is it vendor lock-in?
Microsoft is not forcing you to uninstall the third party solution. Microsoft is not usurping the third party solution in favor of their own. Microsoft is not saying "no more updates if you use third party AV." They are simply saying "we're not installing updates that have the potential for Bad Things (tm) until any anti-virus solution you have installed sets a flag telling us it's okay to proceed."
You are no more locked in, or out, than you were before, to literally anything. If you aren't getting updates from your AV vendor that will set this flag, that's between you and the AV vendor.
I guess what I want to know is what happens if you have Windows Defender disabled, and don't have any other AV installed - does this bit never get set and you just lose Windows Update without manually setting it? That's probably not the best design, but I imagine there aren't a lot of people "brave" enough to run Windows without antivirus of some kind these days.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
If the malware is already installed, then its in their interest to ensure your system gets updates so it's less likely to get infected by any competing malware...
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Once a machine has a root kit installed , the game is lost. You can't remove rooted malware from the same machine. You might be able to clean the disk from a different machine, maybe, if it's low-rent malware. Of course, the Snowden leaks included NSA malware that lives in the BIOS of the drive, so it might just root the second system. Thanks NSA.
Socialism: a lie told by totalitarians and believed by fools.
Is there a truly detailed breakdown of the patches some where?
If malware can set this reg key - your machine is already done (its only writable by system/admin).
It seems a legitimate question: I've somehow managed to live through the last thirty years without _ever_ getting an infection - well, at least none that was detected by Norton, Avira, MSE, Checkpoint, or Antimalwarebytes, all of which I used at one time or another. Living without antivirus, then, seems quite well possible. Would I really have to go and set a registry key myself just to get updates again?
Comment removed based on user account deletion
Damn that's gonna make it hard to get the Linux ladies now.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
I have an older linux box and it started crashing, so I underclocked it and now its fine. You might be onto something there!
You can actually make a case that a lot of security/antivirus products rather than protecting from malware, are actually malware.
They
1) Cause other programs to stop working or even the OS not to start
2) Run with very high privilege levels
3) Are unnecessarily hard to remove
4) Disable Windows Defender
5) Often mess with Windows Update.
It's like this sad tale of becoming what you most fear and are trying to stop.
.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
... Going forward the end user (or whatever malware on their machine) can permanently disable windows updates by setting registry security to prevent such a key from getting created in the first place?
True.
And come to think if it, most AV software was installed by a third party - the PC manufacturer or someone who 'repaired' the machine. It starts off relatively unobtrusive and after a few months it demands a credit card to stay updated. With dire warnings about the consequences of not staying updated.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
Kb4056894 does include the mitigation for the rogue data cache load and the software portion of the mitigation for branch target injection.
Microsoft describes this KB as the resolution for this issue on Windows 7 here:
https://portal.msrc.microsoft....
Note that to be fully protected from branch target injection you also need a CPU Microcode update from your hardware vendor.
I thought Windows was THE malware.
Now that is insanity.
Perhaps you are correct for state level zero-day exploits seeking to avoid detection.
However, typical malware is not usually so discreet. Windows Updates provides remediation and protection against malware, limiting or eliminating existing infections. Typical victims of malware are usually less technically savvy, and thus would not be able to repair a machine themselves, nor would notice that Windows Updates was not working. So it depends on the target and the payload.
Dude, you are out of touch. Let your IT people deal with computer stuff. You don't know what you're talking about. Windows 7 not supporting the new CPUs were publicly stated a year before the CPUs even came out. You're out of the loop. You fucked up.
What if you don't run AV SW -- so of course the key isn't set. Seems like this is another case of MS withholding updates to "encourage" (or discourage) various behaviors.
Remember MS claimed it wouldn't update Win7 for those who update their CPU. I wonder if that will change due to the Intel CPU security bugs?