Until your anti-virus adds this Registry key, you aren’t getting any more Windows security updates

What a mess.

Until your anti-virus adds this Registry key, you aren't getting any more Windows security updates

You’re security conscious. You’re aware of the threats. You like to run a tight ship.

You install the latest security patches, and - of course - you run an up-to-date anti-virus.

Well, things just got a heck lot more complicated for users of some anti-virus programs.

That’s because Microsoft has said that customers who are running certain anti-virus products will not receive its bundle of January 2018 security patches (including mitigations against the Spectre and Meltdown CPU flaws) unless their products certify that they don’t make unsupported calls into Windows kernel memory.

According to Redmond, some security products jump through some hoops and perform double somersaults to bypass the Kernel Patch Protection built into the operating system. And unfortunately, those techniques, are incompatible with Microsoft’s latest patches - and cause computers to blue screen.

So, Microsoft is demanding that anti-virus products certify that their software work with its fixes by adding a registry key every time they startup.

The message from Microsoft is fairly blunt:

Customers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities unless their antivirus software vendor sets the following registry key

To be fair, Microsoft is caught between a rock and a hard place on this one. The last thing they want to do is roll out an update that causes computers to crash. It’s a painful decision, but if they can determine which computers don’t appear to be running a “safe” anti-virus program then they’re probably right not to push out security updates to that PC.

Anti-virus vendors have little choice. They will have to fix their products to fall into line, as customers won’t be satisfied with being blocked from receiving Microsoft security updates.

As always, care will need to be taken by security vendors that any fixes are made properly so as not to introduce other unintended problems.

More details of the issue can be found in this blog post by researcher Kevin Beaumont, including a link to a spreadsheet he is maintaining of which anti-virus products are setting the Registry key.

Now then, I wonder how long it will be until we see bad guys toggling the Registry key to stop PCs receiving security updates?

For more discussion on this topic, be sure to listen to this episode of the Smashing Security podcast:

Listen on Apple Podcasts | Google Podcasts | Other… | RSS

Tags: , , ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , ,

9 Responses

  1. JoelB

    January 9, 2018 at 1:01 pm #

    Now then, I wonder how long it will be until we see bad guys toggling the Registry key to stop PCs receiving security updates?”

    Grahame, I would suggest that if bad guys are already messing around in HKLM then you probably have bigger problems!

    • Sveinbjorn in reply to JoelB.

      January 9, 2018 at 2:21 pm #

      Editing these registry keys in a vulnerable pc would just be one more way to keep your malware persistent and silently keep this pc unpatched.

  2. BaliRob

    January 9, 2018 at 2:01 pm #

    Meawhile .….….…..?

  3. Angie Jones

    January 9, 2018 at 2:18 pm #

    I noticed that Comodo Internet Security, which I have installed on my HP Windows computer isn’t on the spreadsheet sheet list to be sent a Registry Key. Does that mean it’s compatible with the new updates?

    • Graham Cluley in reply to Angie Jones.

      January 9, 2018 at 3:02 pm #

      All that we can infer is that the guy maintaining the spreadsheet hasn’t created an entry for Comodo.

      I would recommend contacting Comodo technical support to discover what their status is.

      • Angie Jones in reply to Graham Cluley.

        January 10, 2018 at 5:35 pm #

        Hi Graham,

        Thank you for ur reply, that helped a lot! 🙂

  4. Adrian

    January 9, 2018 at 6:11 pm #

    If no antivirus, Microsoft will not upgrade ? Or Microsoft needs an antivirus from eligible editors to upgrade ?

    • Carol in reply to Adrian.

      January 9, 2018 at 11:43 pm #

      It’s like a flag. If your antivirus doesn’t cause any issues( Blue screen of death ) then you get an OK flag ( register value ) and Microsoft servers will eventually recognize and download the update.

  5. Chris Pugson

    January 14, 2018 at 10:27 am #

    My Windows 7 system uses an AMD Sempron 3000 64-bit processor. The quality compatibility registry entry (protected by security policy) is present but there is still no January 2018 update of any kind. I expect 3 separate updates: the main security rollup, a .NET security and quality rollup and good old KB890830. Only two (I guess) components are intended to fix the Meltdown/Spectre issue. There are probably other unconnected critical updates but are they really affected by the kernel updates required for the processor bug fix?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.