You’re security conscious. You’re aware of the threats. You like to run a tight ship.
You install the latest security patches, and - of course - you run an up-to-date anti-virus.
Well, things just got a heck lot more complicated for users of some anti-virus programs.
That’s because Microsoft has said that customers who are running certain anti-virus products will not receive its bundle of January 2018 security patches (including mitigations against the Spectre and Meltdown CPU flaws) unless their products certify that they don’t make unsupported calls into Windows kernel memory.
According to Redmond, some security products jump through some hoops and perform double somersaults to bypass the Kernel Patch Protection built into the operating system. And unfortunately, those techniques, are incompatible with Microsoft’s latest patches - and cause computers to blue screen.
So, Microsoft is demanding that anti-virus products certify that their software work with its fixes by adding a registry key every time they startup.
The message from Microsoft is fairly blunt:
Customers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities unless their antivirus software vendor sets the following registry key
To be fair, Microsoft is caught between a rock and a hard place on this one. The last thing they want to do is roll out an update that causes computers to crash. It’s a painful decision, but if they can determine which computers don’t appear to be running a “safe” anti-virus program then they’re probably right not to push out security updates to that PC.
Anti-virus vendors have little choice. They will have to fix their products to fall into line, as customers won’t be satisfied with being blocked from receiving Microsoft security updates.
As always, care will need to be taken by security vendors that any fixes are made properly so as not to introduce other unintended problems.
More details of the issue can be found in this blog post by researcher Kevin Beaumont, including a link to a spreadsheet he is maintaining of which anti-virus products are setting the Registry key.
Now then, I wonder how long it will be until we see bad guys toggling the Registry key to stop PCs receiving security updates?
For more discussion on this topic, be sure to listen to this episode of the Smashing Security podcast: