Microsoft last week took the unprecedented step of requiring customers to have up-to-date antivirus software on their personal computers before it would hand over a critical security update.
"This was unique," said Chris Goettl, product manager with client security and management vendor Ivanti. "But there was a danger here."
Goettl was talking about the emergency updates Microsoft issued last week to bolster Windows' defenses against potential attacks leveraging the vulnerabilities labeled Meltdown and Spectre by researchers. Operating system and browser makers have shipped updates designed to harden systems against the vulnerabilities, which stemmed from design flaws in modern processors from companies such as Intel, AMD and ARM.
The danger, according to Microsoft, is that the updates might brick a PC because of antivirus (AV) software that improperly tapped into kernel memory.
"Microsoft has identified a compatibility issue with a small number of antivirus software products," the company wrote in a support document. "The compatibility issue arises when antivirus applications make unsupported calls into Windows kernel memory. These calls may cause stop errors (also known as blue screen errors) that make the device unable to boot."
"Stop errors" and "blue screen errors" are Microsoft euphemisms better known to Windows users as "Blue Screen of Death" or BSOD, a nod to the color of the screen when the OS falls and can't get up.
Even though Microsoft downplayed the extent of the problem - citing a "small number" of AV products causing the BSODs - it wielded an enormous hammer in response. "To help prevent stop errors ... Microsoft is only offering the Windows security updates that were released on January 3, 2018, to devices that are running antivirus software that is from partners who have confirmed that their software is compatible with the January 2018 Windows operating system security update [emphases added]."
In other words, unless the installed AV title has been updated since Jan. 4, when Microsoft, along with a host of other vendors, went public with its fixes, the Meltdown/Spectre update for Windows won't be offered to the PC.Likewise, a Windows personal computer without an updated AV program won't be served the security update.
To get January's security update - which contained other, more typical patches as well as those designed to address Meltdown and Spectre - Windows 7, Windows 8.1 and Windows 10 users must have an AV product installed and up to date.
Well, sort of.
Microsoft has told AV software developers to signal that their code is compatible with the update by writing a new key to the Windows Registry. Users can sidestep the AV demand by manually adding the key. The technique is legit: Microsoft instructed customers to add the key if they "can't install or run antivirus software."
Even as he acknowledged that the move was groundbreaking, Goettl said Microsoft had little choice, what with BSODs looming. "They have done a good job of due diligence at protecting customers from a bad experience," he said. "There wasn't an option to ignore this."
[Ironically, BSODs weren't kept at bay by the AV mandate. Buggy patches have blue-screened and crippled an unknown number of PCs equipped with AMD microprocessors; early Tuesday, Microsoft yanked the updates for "some AMD devices."]
One point of pain for this head-turning tactic is not knowing whether an AV product has been updated and will insert the new key in the Windows Registry. Microsoft, for reasons unclear to customers, has not created a list of compatible AV programs. Perhaps in lieu of such a list, it has simply steered users to its own titles, Windows Defender (installed by default in Windows 10 and Windows 8.1) and Microsoft Security Essentials (Windows 7).
Fortunately, security researcher Kevin Beaumont stepped into the breach with a spreadsheet that lists AV vendors that have complied with Microsoft's order. (Beaumont has also written a comprehensive piece on the Windows' updates and their link to AV on Medium.) While some AV products set the necessary key, others, such as Trend Micro's, do not; instead they require users to do the job themselves by diving into the Registry or, in an enterprise environment, using Active Directory and group policies to push the change out to all systems.
Just as important, however, is a detail even those who read the Microsoft support document may have overlooked. At the end of the document, Microsoft puts it in stark language: "Customers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities unless their antivirus software vendor sets the following registry key [emphasis added]."
Because Windows 7, 8.1 and 10 are now all serviced with cumulative security updates - they include not just that month's fixes but patches from past months - if a PC can't access the January update, it won't be able to access the February or March updates either. (The exception: Organizations able to deploy the security-only updates for Windows 7 and 8.1.) That situation will continue as long as Microsoft keeps the AV and registry key requirement in place.
Microsoft's not said how long that may be, preferring instead a nebulous until-we-say-so timeline. "Microsoft will continue to enforce this requirement until there is high confidence that the majority of customers will not encounter device crashes after installing the security updates," the company's support document stated.
"It's hard to say how long this will last," admitted Goettl. "I think it will be at least a few patch cycles."
IT should immediately begin to evaluate their organization's AV situation, if necessary deploy the required key using group policies, and start testing the Windows updates, with emphasis on the expected performance degradation. Goettl argued that while general users may not notice any difference in day-to-day activities, some areas of computing - storage, high network utilization, virtualization - may.
"Corporations need to be cautious, and thoroughly test before rolling this out," he said. "[The updates make] fundamental changes to how the kernel works. Before, kernel conversations were like talking face-to-face. Now, you and the kernel are a room away from each other."