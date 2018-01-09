Microsoft Says No More Windows Security Updates Unless AVs Set a Registry Key (bleepingcomputer.com) 48
Catalin Cimpanu, reporting for BleepingComputer: Microsoft has added a new and very important detail on the support page describing incompatibilities between antivirus (AV) products and the recent Windows Meltdown and Spectre patches. According to an update added this week, Microsoft says that Windows users will not receive the January 2018 Patch Tuesday security updates, or any subsequent Patch Tuesday security updates, unless the antivirus program they are using becomes compatible with the Windows Meltdown and Spectre patches. The way antivirus programs become compatible is by updating their product and then adding a special registry key to the Windows Registry. The presence of this registry key tells the Windows OS the AV product is compatible and will trigger the Windows Update that installs the Meltdown and Spectre patches that address critical flaws in the design of modern CPUs.
Now windows malware will mess with that key to sto (Score:4, Interesting)
Now windows malware will mess with that key to stop updates
You have bigger problems than a registry key if the malware has root.
Apparently This is a temporary solution according to Microsoft.
https://support.microsoft.com/... [microsoft.com]
Q3: How long will Microsoft require setting a registry key to receive the January 3, 2018, security updates?
A3: Microsoft added this requirement to ensure customers can successfully install the January 2018 security updates. Microsoft will continue to enforce this requirement until there is high confidence that the majority of customers will not encounter device crashes after installing the security updates.
Something wrong here (Score:3)
Microsoft finally comes up with a way for the user to potentially have some level of control over their patches. All you have to do is mess around with a registry key and forgo all patches altogether. People have been demanding to have some level of control and this is what Microsoft comes up with...
Well, if you don't run any antivirus at all, who is there to set the registry key in the first place?
I'm assuming Windows Update looks for an installed AV. Only if there's an installed AV and no registry key do you get no update.
You do know that you can just disable the Windows Update service right? That was a 'feature' that you were able to implement from day one.
Re:Something wrong here (Score:5, Informative)
You do know that you can just disable the Windows Update service right?
Microsoft frequently ignores that setting.
Windows Server (Score:5, Informative)
Remember,
For Windows Server, you will need to also set the following three registry keys to enable post patch install. With Windows Home/pro, it's already enabled after installation.
For Windows Server.
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management"
/v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management"
/v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization"
/v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f
To Validate status, you can run the PowerShell command Get-SpeculationControlSettings.
If Windows 10 or Server 2016, you can skip the first step.
1. Set-ExecutionPolicy Bypass
2. Install-Module SpeculationControl
3. Get-SpeculationControlSettings
You will now see results.
4. Set-ExecutionPolicy Restricted (to protect the system via securing powershell again)
Good luck. Be sure to apply BIOS updates when and if applicable to stave off Spectre
Edit: All steps apply. It's just that you will need to install the PowerShellGet module. However, it's included with Windows10 and 2016.
What if you don't an AV? (Score:1)
Who runs AV's anyway?
Don't want to subscribe (Score:2)
Call me crazy, but I don't want to spend money on a subscription. I practice safe web.
So you're not worried about the dozens of exploits fixed in browsers every month, in image decoding libraries, media libraries, etc.? Even sometimes in the SSL/TLS libraries.
What are you browsing the web with, PuTTY?
Must be quite the experience.
Not a terrible idea for now (Score:2)
Considering that some Antivirus programs are using undocumented API's and aren't compatible with the Windows Meltdown patch, this isn't really a bad idea. This isn't a great idea, but it's better than your system getting stuck in a crash/reboot loop after installing the patch. I hope that they throw up a warning to the end user to update your damn antivirus software as well, and then make the registry key go away once it is.
I also hope that they just use this as a temporary fix, or hackers will use this reg
Legitimate decision. (Score:2)
It pains me to side with Microsoft but their decision here is a good and legitimate one.
The key to it's legitimacy is this quote:
There is a problem where some anti-virus vendors are using techniques to bypass Kernel Patch Protection by injecting a hypervisor which they use to intercept syscalls and make assumptions about memory locations — memory locations which are now changing with the Meltdown fixes.
Fine, fine...
Now explain to us:
a) how this works out if you change AV software (to one not compatible), and
b) how this works if you do not use an AV product at all.
Thanks!
Finally! (Score:2)
Re: (Score:3)
Yes finally... oh wait you could just disable the Windows Update service and you could have done so forever ago.
I think this is a move on Microsoft's part to be a little more adult than they have been in the past, and give these third party software vendors a bit more time to work around a change that would completely disable their software, if not the whole computer, due to hackery involved in how these AV softwares work.
Past Microsoft would have just chucked the patch out saying "important security update available! Install now!" and then act with total indifference when your OS load is left as a twisted flaming w
Past Microsoft would have just chucked the patch out saying "important security update available! Install now!" and then act with total indifference when your OS load is left as a twisted flaming wreck, and blame the AV vendor
Who did they blame when updating to Windows 10 did this? I don't think it was the AV vendor, but it certainly wasn't themselves.
Why not just give Microsoft the keys to your life? "Defender" is just an NSA doccument scanner.
not timely slashdot (Score:2)
this was known on the weekend, when I did a couple windows boxes and the windows partition on my AMD II laptop (which went fine by the way, however even if you get BSOD you can go into repair mode and uninstall the KB)
So I've known about this for 3 days and I'm a freakin Linux desktop user at home and mac pro user at work!
1. Since when was Slashdot ever timely?
2. I've skimmed a bunch of Spectre and Meltdown articles, haven't seen the registry key mentioned before now.
No AV - No Updates? (Score:1)
So what happens if I don't install any AV-product and also don't use the Microsoft AV-Solution?
Since nothing could set the RegKey, I also don't get updates?