Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Says No More Windows Security Updates Unless AVs Set a Registry Key (bleepingcomputer.com)

Posted by msmash on from the my-way-or-highway dept.

Catalin Cimpanu, reporting for BleepingComputer: Microsoft has added a new and very important detail on the support page describing incompatibilities between antivirus (AV) products and the recent Windows Meltdown and Spectre patches. According to an update added this week, Microsoft says that Windows users will not receive the January 2018 Patch Tuesday security updates, or any subsequent Patch Tuesday security updates, unless the antivirus program they are using becomes compatible with the Windows Meltdown and Spectre patches. The way antivirus programs become compatible is by updating their product and then adding a special registry key to the Windows Registry. The presence of this registry key tells the Windows OS the AV product is compatible and will trigger the Windows Update that installs the Meltdown and Spectre patches that address critical flaws in the design of modern CPUs.

11 of 136 comments (clear)

  1. Something wrong here by onyxruby · · Score: 3, Interesting

    Microsoft finally comes up with a way for the user to potentially have some level of control over their patches. All you have to do is mess around with a registry key and forgo all patches altogether. People have been demanding to have some level of control and this is what Microsoft comes up with...

    1. Re:Something wrong here by dkone · · Score: 3, Informative

      You do know that you can just disable the Windows Update service right? That was a 'feature' that you were able to implement from day one.

    2. Re:Something wrong here by StormReaver · · Score: 5, Informative

      You do know that you can just disable the Windows Update service right?

      Microsoft frequently ignores that setting.

    3. Re:Something wrong here by thegreatbob · · Score: 3, Informative

      Disable wuauserv, dosvc, and bits.... it's going to have an awfully hard time doing anything after that. I haven't found it to be able to re-enable itself under those conditions. Exception might be if it had updates queued during the next shutdown, though I'm not certain.

      --
      There is no XUL, only WebExtensions...
  2. Windows Server by DigiShaman · · Score: 4, Informative

    Remember,

    For Windows Server, you will need to also set the following three registry keys to enable post patch install. With Windows Home/pro, it's already enabled after installation.

    For Windows Server.

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f

    To Validate status, you can run the PowerShell command Get-SpeculationControlSettings.

    If Windows 10 or Server 2016, you can skip the first step.

    1. Set-ExecutionPolicy Bypass
    2. Install-Module SpeculationControl
    3. Get-SpeculationControlSettings
    You will now see results.
    4. Set-ExecutionPolicy Restricted (to protect the system via securing powershell again)

    Good luck. Be sure to apply BIOS updates when and if applicable to stave off Spectre

    --
    Life is not for the lazy.
  3. What if you don't an AV? by Anonymous Coward · · Score: 3, Interesting

    Who runs AV's anyway?

  4. Legitimate decision. by Gravis+Zero · · Score: 5, Interesting

    It pains me to side with Microsoft but their decision here is a good and legitimate one.

    The key to it's legitimacy is this quote:

    There is a problem where some anti-virus vendors are using techniques to bypass Kernel Patch Protection by injecting a hypervisor which they use to intercept syscalls and make assumptions about memory locations — memory locations which are now changing with the Meltdown fixes.

    --
    Anons need not reply. Questions end with a question mark.
  5. Re:Now windows malware will mess with that key to by bondsbw · · Score: 4, Insightful

    You have bigger problems than a registry key if the malware has root.

    --
    All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
  6. Re:No AV - No Updates? by sinij · · Score: 4, Funny

    So what happens if I don't install any AV-product and also don't use the Microsoft AV-Solution?

    It is highly unreasonable to expect MS to be able to patch your Linux box. :P

  7. Re:Now windows malware will mess with that key to by Skuld-Chan · · Score: 4, Informative

    If malware can set this reg key - your machine is already done (its only writable by system/admin).

  8. Comment removed by account_deleted · · Score: 4, Insightful

    Comment removed based on user account deletion