Microsoft’s Response to Meltdown and Spectre

While the media and InfoSec community waits with bated breath for Intel and AMD’s response to the critical flaws found in generations of processors, Microsoft has been wasting little time in trying to shore up the problem with patches of their own. In their haste, it appears certain issues have arisen. In an announcement earlier today, January 9, announced that they would be pausing the roll out patches for devices featuring AMD processors. In another announcement made by Microsoft is was stated that they would not be rolling out any more security updates unless Antivirus offerings set a registry key.

The makers of the world’s most prevalent OS announced its decision today in light of numerous AMD users reporting a Blue Screen of Death (BSOD) and other types of errors that in some cases prevented computers from booting. On a support page Microsoft announced “After investigating, Microsoft has determined that some AMD chipsets do not conform to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown,”

microsoft's response to meltdown and spectre

In order to prevent any adverse results to AMD user’s as a result of installing the patches, Microsoft will no longer be rolling out the following patches:

  • January 3, 2018—KB4056897 (Security-only update)
  • January 9, 2018—KB4056894 (Monthly Rollup)
  • January 3, 2018—KB4056888 (OS Build 10586.1356)
  • January 3, 2018—KB4056892 (OS Build 16299.192)
  • January 3, 2018—KB4056891 (OS Build 15063.850)
  • January 3, 2018—KB4056890 (OS Build 14393.2007)
  • January 3, 2018—KB4056898 (Security-only update)
  • January 3, 2018—KB4056893 (OS Build 10240.17735)
  • January 9, 2018—KB4056895 (Monthly Rollup)

Both Windows server and desktop versions will be affected by Microsoft’s decision. The latest decision is just another issue the tech giant has had to deal with in the wake of the Spectre and Meltdown flaw revelations that are said to affect processors dating as far back as 1995.

The Antivirus Registry Key Issue

In the second announcement added to the support page, it was announced that researchers and developers had discovered major incompatibilities between antivirus (AV) products and the recent Windows Meltdown and Spectre patches. Central to the announcement was the company stating that users will not receive the January 2018 Patch Tuesday security updates, or any subsequent Patch Tuesday security updates, unless the antivirus program they are using becomes compatible with the Windows Meltdown and Spectre patches. In order to become compatible, the antivirus creators need to first update their product. Then, secondly, adding a special registry key to the Windows Registry.

The presence of the registry key allows the Windows OS installed with a compatible AV to install the relevant patches concerning the Meltdown and Spectre patches that address critical flaws in the design of modern CPUs. According to Microsoft’s Policy, this registry key has now become a permanent check of the Windows Update process and will prevent all further updates, not just the Meltdown and Spectre patches. This shift to include a registry key was done because developers at Microsoft found that some AV products caused Windows computers to enter a Blue Screen of Death (BSOD) error state that prevented subsequent boot-ups.
As to why this happens security researcher Kevin Beaumont explained:

There is a problem where some anti-virus vendors are using techniques to bypass Kernel Patch Protection by injecting a hypervisor which they use to intercept syscalls and make assumptions about memory locations — memory locations which are now changing with the Meltdown fixes. To be honest, some of the techniques are similar to ones used by rootkits — Kernel Patch Protection was introduced by Microsoft a decade ago to combat rootkits, in fact. Because some anti-virus vendors are using very questionable techniques they end up cause systems to ‘blue screen of death’ — aka get into reboot loops.

So far the handling of the Spectre and Meltdown vulnerabilities has left much to be desired and can be regarded as a mess. While Microsoft scrambled to mitigate the potential disaster the fixes instituted are producing a similar impact on how antivirus software now interacts with the Windows OS. On the bright side, the vast majority of AV vendors have updated their products to support the Meltdown and Spectre patches, but some vendors require users to set up the registry key by hand. If you are required to enter the registry key by hand that key is:

Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”

While the incorporation of the registry key has solved a potential crisis, it is feared that it may cause more problems down the line. A potential pitfall may rest in a certain user’s not noticing their computer is no longer downloading and installing further security updates and patches. The leaves the user’s computer vulnerable to attack in future.

Apple Releases Patches to Mitigate Meltdown and Spectre

Yesterday the company behind MacOS released security updates to mitigate the effects of the Spectre vulnerability that affects processors deployed with Apple devices such as smartphones, tablets, and desktop computers. Apple released MacOS High Sierra 10.13.2, iOS 11.2.2, and Safari 11.0.2, all which include mitigations for Spectre. As to the Meltdown flaw, the company previously patched the flaw in December with the release of iOS 11.2, MacOS 10.13.2, and tvOS 11.2.

Many are asking what the fuss is but both Meltdown and Spectre have led to major companies rushing to mitigate the effects of the flaws. Both allow attackers to retrieve data from a device's processor memory, both from the secure area of the kernel, but also from other apps running on the PC. The announcement of the flaws was set for January 9, however, the serious nature of the flaws which could affect billions of devices worldwide prompted Google to disclose the existence of these CPU flaws last week. This, in turn, prompted Apple and Microsoft to release patches in the days that followed. Apple released a press statement shortly after Google that stated it secretly patched Meltdown and promised to release security updates to mitigate Spectre this week.

While many of the world’s biggest tech companies race to release patches, Intel at the time of writing has yet to make an official statement.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal