The question of how fast to apply Microsoft’s January 3 patches for the Meltdown/Spectre processor vulnerability — and ones that may be issued today with the Patch Tuesday bundle — comes down to a number of factors, but perhaps the biggest is whether an organization’s anti-virus software will allow it.
We’ve already written that Microsoft warned AV makers its fixes may clash with their software. But according to a blog by infosec researcher and editor Kevin Beaumont, Microsoft has made it clear that unless AV providers certify their patches are certified compatible with its updates and adds a registry key NO Windows security fixes from now on can be installed. That key, which runs every time the product starts up, certifies their software is working with the CPU fixes.
The problem is some vendors are asking administrators to set the key rather than have their software do it automatically.
This impacts Windows Update, Windows Server Update Services (WSUS) and System Center Configuration Manager (SCCM), he writes.
Beaumont has compiled a spreadsheet of vendors that as of Monday, Jan 8 have or have not yet complied. Some require administrators to manually change the register key, while others say their fix is coming.
For example, in a Jan. 5 advisory Cisco Systems says that the Microsoft patch has been tested and verified for compatibility for certain versions of its AMP for Endpoints Windows Connectors running on the public AMP Cloud. However, “customers will need to manually set the required compatibility registry key detailed in Microsoft KB4056892 after verifying all third-party endpoint security software installed on the endpoint is compatible.” Only then will the Microsoft security updates install.
Beaumont reminds CISOs that there are AV vendors and there are so-called next-generation endpoint solution providers who sometimes pitch themselves as supplements to anti-virus, but recently have been marketing themselves as AV replacements. Some of these vendors may require manual setting of a registry key to get Microsoft security updates from now on.
Beaumont’s list of those who have products that have not been certified and do not automatically fix the registry always changes. The message is administrators have to check with AV-related security suppliers to ensure future Microsoft security patches will be installed.
According to Beaumont’s list, as of the time of writing this story, providers whose products automatically apply the register change include Avast, AVG, Avira, EMSI, Eset, F-Secure, Kaspersky, Malwarebytes, Sophos and Symantec.
UPDATE: This morning Microsoft temporarily pulled nine Windows security updates with certain AMD processors after getting reports of some devices with CPUs from the manufacturer becoming unbootable after installing the fixes– even if they have compatiable AV software. “Microsoft determined that some AMD chipsets do not conform to the documentation previously provided to Microsoft” for the mitigations, the company said.
To prevent AMD customers from getting into an unbootable state, Microsoft has temporarily paused sending the following Windows operating system updates to devices that have impacted AMD processors:
January 9, 2018—KB4056894 (Monthly Rollup)
January 3, 2018—KB4056888 (OS Build 10586.1356)
January 3, 2018—KB4056892 (OS Build 16299.192)
January 3, 2018—KB4056891 (OS Build 15063.850)
January 3, 2018—KB4056890 (OS Build 14393.2007)
January 3, 2018—KB4056898 (Security-only update)
January 3, 2018—KB4056893 (OS Build 10240.17735)
January 9, 2018—KB4056895 (Monthly Rollup)
Microsoft said it is working with AMD to resolve this issue and resume Windows OS security updates to the affected AMD devices.