Microsoft patches Windows to cool off Intel's Meltdown – wait, antivirus? Slow your roll
Check your anti-malware tool unless you like BSoDs
Microsoft has released updates for Windows to block attempts by hackers and malware to exploit the Meltdown vulnerability in Intel x86-64 processors – but you will want to check your antivirus software before applying the fixes.
The Redmond giant issued the out-of-band update late yesterday for Windows 10 version 1709.
While the documentation for the fix does not name Chipzilla's CPU-level vulnerability specifically, a Microsoft spokesman told El Reg it will hopefully protect Windows users from Meltdown exploits, and more patches are in the works. Meltdown is a design flaw in Intel's processors going back at least 2011 that allows normal user programs to read passwords, keys and other secrets from the operating system's protected kernel memory area. To prevent this from happening, the kernel has to be moved into a separate virtual address space from user processes.
The software giant is also deploying updates to its Azure cloud service to protect customers from attack. AMD processors are not affected by Meltdown.
Before rushing to install the patch, however, users and admins should note one important issue: the fix may not yet be compatible with your antivirus software.
Microsoft noted that, unless a registry key is updated by the antivirus package, installing the security patch can result in a blue screen of death (BSoD). For that reason, Microsoft said it has set the update to only apply when the registry key has been changed. In other words, antivirus tools must set the key when they are confirmed to be compatible with the operating system update. The patch introduces a significant change to the design of Windows' internal memory management, and this is probably tripping up anti-malware tools, which dig into and rely on low levels of the system.
Some AV vendors have already issued updates to change the key, and allow the fix to be applied without causing any cockups, while others have an update in the works to be released this week or early next week. The malware hunters expected the Windows patches to be released next week, and were caught out when Microsoft brought its patches forward after Meltdown exploit code emerged on the web.
Vendors reported to have updates are Symantec, F-Secure, Avast, and Microsoft's own Windows Defender platform. Check that link for a table of supported and not supported products – obviously, if there is no support, don't flip the key.
Users and admins who are comfortable editing Registry keys themselves can manually perform the task by setting the following:
Key="HKEY_LOCAL_MACHINE"Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value Name="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD” Data="0x00000000”
Also, people installing the Windows Server patches should ensure they are enabled, too. They are disabled by default due to the potential performance hit involved. Casual desktop users and gamers shouldn't notice any difference, although servers running non-CPU-bound intensive workloads – such as anything that hammers disk storage, the network or just makes a lot of system calls – will suffer to some degree with the Meltdown patch applied. Your mileage may vary.
Elsewhere, Red Hat said it has also kicked out a patch for all three of the CVE listings (CVE-2017-5754, CVE-2017-5753, CVE-2017-5715) associated with the Spectre and Meltdown bugs. The vendor notes that the patch applies to versions of the kernel in releases as far back as RHEL 5. Red Hat's OpenStack and Virtualization releases will also get the fix. Check with your favorite Linux distro for similar updates. Apple quietly patched the Meltdown bug in macOS, and in iOS on its iThings, in December. ®
Sponsored: Becoming a Pragmatic Security Leader