CPU bug patch saga: Antivirus tools caught with their hands in the Windows cookie jar

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
You're fondling our kernel wrong, grumbles Microsoft

Microsoft's workaround to protect Windows computers from the Intel processor security flaw dubbed Meltdown has revealed the rootkit-like nature of modern security tools.

Some anti-malware packages are incompatible with Redmond's Meltdown patch, released last week, because the tools make, according to Microsoft, “unsupported calls into Windows kernel memory,” crashing the system with a blue screen of death. In extreme cases, systems fail to boot up when antivirus packages clash with the patch.


The problem arises because the Meltdown patch involves moving the kernel into its own private virtual memory address space. Usually, operating systems such as Windows and Linux map the kernel into the top region of every user process's virtual memory space. The kernel is marked invisible to the running programs, although due to the Meltdown design oversight in Intel's modern chips, its memory can still be read by applications. This is bad because it means programs can siphon off passwords and other secrets held in protected kernel memory.

Certain antivirus products drill deep into the kernel's internals in order to keep tabs on the system and detect the presence of malware. These tools turn out to trash the computer if the kernel is moved out the way into a separate context.

In other words, Microsoft went to shift its cookies out of its jar, and caught antivirus makers with their hands stuck in the pot.

Thus, Microsoft asked anti-malware vendors to test whether or not their software is compatible with the security update, and set a specific Windows registry key to confirm all is well. Only when the key is set will the operating system allow the Meltdown workaround to be installed and activated. Therefore, if an antivirus tool does not set the key, or the user does not set the key manually for some reason, the security fix is not applied.

In fact, until this registry key is set, the user won’t be able to apply any Windows security updates – not just this month's patches, just any of them in future.
...
...
...

 
Last edited:

Prorootect

Level 69
Verified
Nov 5, 2011
5,855
"Yup, this is a huge fiasco."

Yes ForgottenSeer 58943, Microsoft's fiasco.
There is no return, no more Windows updates for those without this Liberator registry key...

poor M$, maybe it didn't want this
 
  • Like
Reactions: AtlBo

ElectricSheep

Level 14
Verified
Top Poster
Well-known
Aug 31, 2014
655
"Yup, this is a huge fiasco."

Yes ForgottenSeer 58943, Microsoft fiasco.
There is no return, no more Windows updates for those without this Liberator registry key...

And we don't even know WHAT AV/AM's are going to be compatible... it's a lottery and it shouldn't be like that! There's many out there who can't afford to replace machines cause of it (Me included) and that sucks...:mad:
 

Nightwalker

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
May 26, 2014
1,339
The one who has been defeated is named Microsoft,
The winner it's called Antivirus.
David fights against the giant - Goliath falls down dead!

O tempora o mores!

There are no winners here, Microsoft is just being cautious while many antivirus vendors are just being lazy with stupid long development cycles.

More reasons to use just Windows Defender or top antivirus solutions like ESET, Emsisoft and Kaspersky.
 
D

Deleted member 65228

Or am I misunderstanding?
Nope, you're not. It isn't Microsoft's fault. Microsoft are actually doing the decent thing and are looking out for their customers. 100% of the people hating on Microsoft for the registry fiasco are vexed because their security solution hasn't changed it, which means one or two of two things: the product is not supported yet, or the vendor is lazy.

In the case of the former, the system will be put into a constant-crashing environment if the product is not supported due to it's kernel-mode software, thus causing data corruption and leaving the system inoperable until recovery of some shape or form (could be as simple as safe mode to uninstall the product, or it could be worse depending on the failing component in the security solution package).

Microsoft made the changes they made for the better good, not worse. The problem is because of Intel and other manufacturers in which the vulnerabilities are present in THEIR products. The vulnerabilities aren't in Windows, OS X or Linux. Regardless of whether it was intentional by Intel/others (in which specific variants of vulnerabilities are present for), their product so it is their responsibility.

Forcing the update is a stupid thing to do as well. Remove the security solution in use, then update, and use another which is compatible/Windows Defender until the original is compatible.
 

Prorootect

Level 69
Verified
Nov 5, 2011
5,855
Nope, you're not. It isn't Microsoft's fault. Microsoft are actually doing the decent thing and are looking out for their customers. 100% of the people hating on Microsoft for the registry fiasco are vexed because their security solution hasn't changed it, which means one or two of two things: the product is not supported yet, or the vendor is lazy.

In the case of the former, the system will be put into a constant-crashing environment if the product is not supported due to it's kernel-mode software, thus causing data corruption and leaving the system inoperable until recovery of some shape or form (could be as simple as safe mode to uninstall the product, or it could be worse depending on the failing component in the security solution package).

Microsoft made the changes they made for the better good, not worse. The problem is because of Intel and other manufacturers in which the vulnerabilities are present in THEIR products. The vulnerabilities aren't in Windows, OS X or Linux. Regardless of whether it was intentional by Intel/others (in which specific variants of vulnerabilities are present for), their product so it is their responsibility.

Forcing the update is a stupid thing to do as well. Remove the security solution in use, then update, and use another which is compatible/Windows Defender until the original is compatible.

New times have come to pass: now all over the world, Windows users with Registry key and incompatible antivirus will have unpleasant adventures: either craches or the system inoperable until recovery in safe mode, yes Opcode.... I see no rescue for older people, or those who do not know how to get out of this situation... tech services will have switch to full employement mode, and Microsoft will be declared guilty despite being innocent.
The only solution is you are describing: "Forcing the update is a stupid thing to do as well. Remove the security solution in use, then update, and use another which is compatible/Windows Defender until the original is compatible."
Microsoft should warn incompatible users (popup, nag screen after each boot...) to exchange their antivirus, because they are in a dangerous situation without their Registry key....
 
Last edited:

Atlas147

Level 30
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 28, 2014
1,990
I think it's a microsoft is in a pretty tough situation here seeing that it's not really their fault that there is an exploit and that the AVs we use are not compatible with the update but they are making the most out of the situation.

I think as a user we also have the responsibility to see if the AV we are using is compatible with the update or not and choose either to stick with the AV in hopes that they will fix the way they work soon and hold out on the update or switch to a more compatible AV to receive the update.
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
New times have come to pass: now all over the world, Windows users with Registry key and incompatible antivirus will have unpleasant adventures: either craches or the system inoperable until recovery in safe mode, yes Opcode.... I see no rescue for older people, or those who do not know how to get out of this situation... tech services will have switch to full employement mode, and Microsoft will be declared guilty despite being innocent.
The only solution is you are describing: "Forcing the update is a stupid thing to do as well. Remove the security solution in use, then update, and use another which is compatible/Windows Defender until the original is compatible."
Microsoft should warn incompatible users (popup, nag screen after each boot...) to exchange their antivirus, because they are in a dangerous situation without their Registry key....
In a way, users are being warned by not receiving updates. And if they do receive the update it means they know what they are doing. Either waiting for their current AV to be compatible or changing to one that is.
 

oneeye

Level 4
Verified
Jul 14, 2014
174
This is all the result of hardware chip flaws, it vulnerability. Software companies were forced to come to the rescue. Because.....the first advice
US CERT gave out, was to replace ALL chips! An obvious idiot pushed that one out. So, they quickly changed their advice. That said, this was first disclosed back in June or July of last year. It took months if coordinated work amongst all the major software vendors, browsers developers, etc., to finally come out with patches at nearly the same time. Pretty amazing if you stop to think about it.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top