To do so, antivirus programs must update their software and add a special key to the registry. Once compatible, Windows will download the Meltdown and Spectre patches and any others available. “Microsoft added this requirement to ensure customers can successfully install the January 2018 security updates,” explains a support page. “Microsoft will continue to enforce this requirement until there is high confidence that the majority of customers will not encounter device crashes after installing the security updates.”
Questionable Anti-Virus Tactics
For the unfamiliar, the Meltdown and Spectre vulnerabilities have arisen due to a flaw in CPUs. When a command is sent to perform any task, the CPU passes control to the kernel, which stays below the surface in processes even once the CPU takes back control. This is to ensure smoother and faster performance, but also means systems are potentially at risk. By using JavaScript in the browser, attackers can read memory on a user’s machine, potentially accessing keystrokes, passwords, and more. The issue with anti-viruses comes from techniques security researcher Kevin Beaumont describes as “very questionable”. Some vendors are bypassing Kernel Patch Protection through use of a hypervisor, which is used to intercept system calls and guess memory locations. Because Microsoft’s latest patch changes those memory locations, some users are unable to start their PC. So far, most major scanners have set the registry key, but there are still quite a few exceptions. The most notable are McAfee’s Endpoint Protection, as well as Panda and FireEye. All three are working on supporting it soon. However, some users can install the registry key manually, rather than waiting for their vendor. Microsoft has instructions here, but notes that incorrect usage could cause serious problems.