Microsoft Says No More Windows Security Updates Unless AVs Set a Registry Key (bleepingcomputer.com) 136
Catalin Cimpanu, reporting for BleepingComputer: Microsoft has added a new and very important detail on the support page describing incompatibilities between antivirus (AV) products and the recent Windows Meltdown and Spectre patches. According to an update added this week, Microsoft says that Windows users will not receive the January 2018 Patch Tuesday security updates, or any subsequent Patch Tuesday security updates, unless the antivirus program they are using becomes compatible with the Windows Meltdown and Spectre patches. The way antivirus programs become compatible is by updating their product and then adding a special registry key to the Windows Registry. The presence of this registry key tells the Windows OS the AV product is compatible and will trigger the Windows Update that installs the Meltdown and Spectre patches that address critical flaws in the design of modern CPUs.
Now windows malware will mess with that key to sto (Score:1, Interesting)
Now windows malware will mess with that key to stop updates
Re: (Score:3)
If the malware is already installed, then its in their interest to ensure your system gets updates so it's less likely to get infected by any competing malware...
Re: Now windows malware will mess with that key to (Score:2)
Perhaps you are correct for state level zero-day exploits seeking to avoid detection.
However, typical malware is not usually so discreet. Windows Updates provides remediation and protection against malware, limiting or eliminating existing infections. Typical victims of malware are usually less technically savvy, and thus would not be able to repair a machine themselves, nor would notice that Windows Updates was not working. So it depends on the target and the payload.
Re: (Score:2, Interesting)
Re:Now windows malware will mess with that key to (Score:5, Insightful)
You have bigger problems than a registry key if the malware has root.
Re: (Score:1)
Re: (Score:3)
You can actually make a case that a lot of security/antivirus products rather than protecting from malware, are actually malware.
They
1) Cause other programs to stop working or even the OS not to start
2) Run with very high privilege levels
3) Are unnecessarily hard to remove
4) Disable Windows Defender
5) Often mess with Windows Update.
It's like this sad tale [slashdot.org] of becoming what you most fear and are trying to stop.
.
Re: (Score:2)
True.
And come to think if it, most AV software was installed by a third party - the PC manufacturer or someone who 'repaired' the machine. It starts off relatively unobtrusive and after a few months it demands a credit card to stay updated. With dire warnings about the consequences of not staying updated.
Re: (Score:3)
Once a machine has a root kit installed , the game is lost. You can't remove rooted malware from the same machine. You might be able to clean the disk from a different machine, maybe, if it's low-rent malware. Of course, the Snowden leaks included NSA malware that lives in the BIOS of the drive, so it might just root the second system. Thanks NSA.
Re: (Score:3)
Apparently This is a temporary solution according to Microsoft.
https://support.microsoft.com/... [microsoft.com]
Q3: How long will Microsoft require setting a registry key to receive the January 3, 2018, security updates?
A3: Microsoft added this requirement to ensure customers can successfully install the January 2018 security updates. Microsoft will continue to enforce this requirement until there is high confidence that the majority of customers will not encounter device crashes after installing the security updates.
Re: (Score:3)
Re:Now windows malware will mess with that key to (Score:5, Informative)
If malware can set this reg key - your machine is already done (its only writable by system/admin).
Comment removed (Score:5, Insightful)
Re: (Score:2)
Something wrong here (Score:4, Interesting)
Microsoft finally comes up with a way for the user to potentially have some level of control over their patches. All you have to do is mess around with a registry key and forgo all patches altogether. People have been demanding to have some level of control and this is what Microsoft comes up with...
Re: (Score:2)
Well, if you don't run any antivirus at all, who is there to set the registry key in the first place?
Re: (Score:2)
I'm assuming Windows Update looks for an installed AV. Only if there's an installed AV and no registry key do you get no update.
Re:Something wrong here (Score:4, Informative)
You do know that you can just disable the Windows Update service right? That was a 'feature' that you were able to implement from day one.
Re:Something wrong here (Score:5, Informative)
You do know that you can just disable the Windows Update service right?
Microsoft frequently ignores that setting.
Re:Something wrong here (Score:4, Informative)
Re: (Score:2, Interesting)
Re: (Score:2)
And what if you use BITS (or one of your applications does)?
Re: (Score:2)
it's going to have an awfully hard time doing anything after that.
Maybe, but it's entirely possible that there is code in Windows that will re-enable any or all of those things. There is no way for you, or anyone not employed by Microsoft, to know for sure. You could very well disable every known entry point to Windows Update, and still miss many more that are not known.
For all we know, Microsoft embeds versions of those files in Windows itself, ready to be re-created if Windows finds them missing at some heretofore unpublished juncture. There is no way to know, and no
Re: (Score:2)
"just unplug from the Interwebs."
Better yet, unplug it from the internet, then unplug it from the power source, then encase it in quick setting concrete. THAT'll almost certainly block MS Update ... at least for a while.
Re: (Score:2)
You probably want to toss it in the sea, too, just to be sure.
Also, avoid reinforced concrete, the rebar can act as an antenna.
Re: (Score:2)
Windows Update Service being disabled is not an ignorable setting. It is something that would generate a system error if another service or task attempts to start it.
Comment removed (Score:5, Informative)
Re: (Score:2)
Re: (Score:1)
According to this page, only clients (WinX, 8.1, 8,7) need these 2 registry entries:
https://support.microsoft.com/... [microsoft.com]
Thoughts? Still applies to all windows OS's?
Re: (Score:2)
Re: (Score:1)
I know that 3rd is for HyperV. and I previously was enabling the first 2 for servers. But then I ran across the linked article today and was like "WTFF? Clients too??"
Re: (Score:2)
Re: (Score:1)
I think I've found the answer!
Here is the companion document:
Client-
https://support.microsoft.com/... [microsoft.com]
Server-
https://support.microsoft.com/... [microsoft.com]
Answer-
https://support.microsoft.com/... [microsoft.com]
At the bottom:
BTIWindowsSupportEnabled: True -> on client, no action required. On server, follow guidance.
KVAShadowWindowsSupportEnabled: True -> on client, no action required. On server, follow guidance.
So it seems that the client document just has that same info, but on client, no action required.
What a documentation craz
Re: (Score:1)
Alright, I have good news for you: the 2 links don't need manually enabled! They are enabled by default and MS talks about it for orgs that want to switch them off and on without dealing with uninstalling the update.
Src:
Note By default, this update is enabled. No customer action is required to enable the fixes. We are providing the following registry information for completeness in the event that customers want to disable the security fixes related to CVE-2017-5715 and CVE-2017-5754 for Windows clients.
http [microsoft.com]
Re: (Score:2)
At least windows is easy, imagine how hard the linux patch must be to install! ;)
What if you don't an AV? (Score:3, Interesting)
Who runs AV's anyway?
Re: What if you don't an AV? (Score:2)
Re: (Score:2)
So your entire point is that virus scanners can't detect new attacks, only ones previously discovered?
So fucking what. Those previously discovered attacks are still out there, and by far the largest threat. So people will still benefit from preventing them.
Re: (Score:2)
Re: As a Linux user (Score:2, Insightful)
sudo yes > /dev/hda
Nope, first of all /dev/hda won't exist, we moved on to sda and mmcblk a good decade ago. But more importantly the sudo applies to the yes command, not to the redirect, so all you are doing is running 'yes' as root and then trying to write to the dev as an ordinary user.
Re: (Score:2)
Today's hardware is very fast. AV products are computer programs that make your computer go slower so that the user can keep up with the interface, and also to keep the hardware from going unsafely fast, which can result in a crash if the user reaction time is too delayed.
Linus doesn't have these softwares, because open sores programmers aren't smart enough to figure out how to make it work.
Re: (Score:2)
I have an older linux box and it started crashing, so I underclocked it and now its fine. You might be onto something there!
Don't want to subscribe (Score:2)
Call me crazy, but I don't want to spend money on a subscription. I practice safe web.
Re: (Score:2)
You can often make an animated menu with just CSS and GIFs.
But if you're already allowing html5, you can use that for menus too.
Re: (Score:2)
So you're not worried about the dozens of exploits fixed in browsers every month, in image decoding libraries, media libraries, etc.? Even sometimes in the SSL/TLS libraries.
What are you browsing the web with, PuTTY?
Must be quite the experience.
Re: (Score:2)
Given that the web as it was originally design is a lot like DOS and everything that's been grafted on top of it is crap like Windows, I'd almost rather surf in pure text mode.
Re: (Score:2)
I'd almost rather surf in pure text mode.
It looks like the text-only browsers have vanished, though I guess you can do like RMS and surf with wget and emacs. Links [wikipedia.org] has very-little grafted-on crap, though.
Re: (Score:2)
But here's a much better question: Why the f*ck isn't it the responsibility of the OS and browser companies to patch their security holes for free and provide their own anti-malware capability? They are the ones making the problems possible.
Re: (Score:2)
The browser devs have patched and MS has Windows Defender. How about you learn something before posting shit?
Re: (Score:2)
Then why do programs like McAfee, Kaspersky, PCMatic, etc, even exist?
Re: (Score:2)
FUD and ignorance. Those programs came about as a response to vulnerabilities in DOS. They continue to be successful as a business model because they use fear as a marketing tactic.
As I explain to my customers - suite "X" won't stop working if you let the subscription expire, it just won't get any updates. Yes, your risk increases, but that annoying pop-up is just trying to scare you. Call me when your subscription is about to expire and we can discuss alternatives.
Some of the free suites are OK but it's a
Re: Don't want to subscribe (Score:2)
Any time I can avoid spending mopping up after the average joe is a good thing.
Furthermore, a subscription expiring does not automatically mean that the anti-virus will no longer recieve updates. When AVG's subscription expires it switches to the free mode, and receives the same updates as the free version.
Re: (Score:2)
Didn't know that about AVG - I've been avoiding it as much as possible.
Not a terrible idea for now (Score:2)
Considering that some Antivirus programs are using undocumented API's and aren't compatible with the Windows Meltdown patch, this isn't really a bad idea. This isn't a great idea, but it's better than your system getting stuck in a crash/reboot loop after installing the patch. I hope that they throw up a warning to the end user to update your damn antivirus software as well, and then make the registry key go away once it is.
I also hope that they just use this as a temporary fix, or hackers will use this reg
Legitimate decision. (Score:5, Interesting)
It pains me to side with Microsoft but their decision here is a good and legitimate one.
The key to it's legitimacy is this quote:
There is a problem where some anti-virus vendors are using techniques to bypass Kernel Patch Protection by injecting a hypervisor which they use to intercept syscalls and make assumptions about memory locations — memory locations which are now changing with the Meltdown fixes.
Re: (Score:2)
Fine, fine...
Now explain to us:
a) how this works out if you change AV software (to one not compatible), and
b) how this works if you do not use an AV product at all.
Thanks!
Finally! (Score:2)
Re: (Score:1, Redundant)
Yes finally... oh wait you could just disable the Windows Update service and you could have done so forever ago.
Re: Finally! (Score:1)
There are several other services which also have to be disabled. It's not as simple as you claim.
Re: (Score:2)
No, really, it's trivial to block updates.
What's a real pain in the arse is remembering how you did it so that you can re-enable them when you do want to update.
Re: (Score:2)
Just this one patch ;).
Re: (Score:2)
I think this is a move on Microsoft's part to be a little more adult than they have been in the past, and give these third party software vendors a bit more time to work around a change that would completely disable their software, if not the whole computer, due to hackery involved in how these AV softwares work.
Past Microsoft would have just chucked the patch out saying "important security update available! Install now!" and then act with total indifference when your OS load is left as a twisted flaming w
Re: (Score:2)
Past Microsoft would have just chucked the patch out saying "important security update available! Install now!" and then act with total indifference when your OS load is left as a twisted flaming wreck, and blame the AV vendor
Who did they blame when updating to Windows 10 did this? I don't think it was the AV vendor, but it certainly wasn't themselves.
Re: (Score:2)
Smells like Vendor lock-in to me.
Re: (Score:2)
How is it vendor lock-in?
Microsoft is not forcing you to uninstall the third party solution. Microsoft is not usurping the third party solution in favor of their own. Microsoft is not saying "no more updates if you use third party AV." They are simply saying "we're not installing updates that have the potential for Bad Things (tm) until any anti-virus solution you have installed sets a flag telling us it's okay to proceed."
You are no more locked in, or out, than you were before, to literally anything. I
Re: Seems logical move by Microsoft (Score:1)
Why not just give Microsoft the keys to your life? "Defender" is just an NSA doccument scanner.
not timely slashdot (Score:2)
this was known on the weekend, when I did a couple windows boxes and the windows partition on my AMD II laptop (which went fine by the way, however even if you get BSOD you can go into repair mode and uninstall the KB)
So I've known about this for 3 days and I'm a freakin Linux desktop user at home and mac pro user at work!
Re: (Score:3)
1. Since when was Slashdot ever timely?
2. I've skimmed a bunch of Spectre and Meltdown articles, haven't seen the registry key mentioned before now.
Re: (Score:2)
that info was out on weekend, I use AVG antivirus which does set it
No AV - No Updates? (Score:1)
So what happens if I don't install any AV-product and also don't use the Microsoft AV-Solution?
Since nothing could set the RegKey, I also don't get updates?
Re:No AV - No Updates? (Score:5, Funny)
So what happens if I don't install any AV-product and also don't use the Microsoft AV-Solution?
It is highly unreasonable to expect MS to be able to patch your Linux box. :P
Re: (Score:2)
I'd expect it to be their friends from the BSA that do that part.
What if you don't have any anti-virus running? (Score:2)
It seems a legitimate question: I've somehow managed to live through the last thirty years without _ever_ getting an infection - well, at least none that was detected by Norton, Avira, MSE, Checkpoint, or Antimalwarebytes, all of which I used at one time or another. Living without antivirus, then, seems quite well possible. Would I really have to go and set a registry key myself just to get updates again?
Re: (Score:2)
And if you don't, the patch should just install normally.
Re: (Score:2)
>> Would I really have to go and set a registry key myself just to get updates again?
If you have manually removed the AV software that ships with the OS and have no other AV product installed, then yes you will need to set the registry key yourself.
So my condom has to be MS cetified? (Score:2)
Damn that's gonna make it hard to get the Linux ladies now.
So.. (Score:3)
What if you don't have an AV? (Score:2)
What if you don't run AV SW -- so of course the key isn't set. Seems like this is another case of MS withholding updates to "encourage" (or discourage) various behaviors.
Remember MS claimed it wouldn't update Win7 for those who update their CPU. I wonder if that will change due to the Intel CPU security bugs?
Re: (Score:1)
Re: (Score:2)
Kb4056894 does include the mitigation for the rogue data cache load and the software portion of the mitigation for branch target injection.
Microsoft describes this KB as the resolution for this issue on Windows 7 here:
https://portal.msrc.microsoft.... [microsoft.com]
Note that to be fully protected from branch target injection you also need a CPU Microcode update from your hardware vendor.
Re: wufuc (Score:2)