It's worth noting that Windows Update may also fail to apply the Meltdown/Spectre patch if other conditions aren't met. Some are mentioned on the KB page [1] but they don't mention another common scenario, which is that if your system firmware is not ready to accept the update, Windows Update will not apply it, and _it won't tell you_ that it's not applying it -- it will simply say 'Your device is up to date'.
I had to dig around to find a page [2] that had some useful instructions allowing me to find out what the actual status of my Windows install was. I'm grateful to the author of that page, they provided critical info that neither Microsoft nor my machine's manufacturer did. I wish I could say that it boggles my mind that they could be so hushmouthed on the subject of a vulnerability this severe.
Of course, my OEM (Lenovo) has not released an update for my Windows laptop (Yoga 900) since 2016, and as of today their support page [3] on Meltdown/Spectre does not indicate that they plan to do so.
I'm posting this partly in anger/despair, partly in the hope that I'm wrong and that someone will pop up to comment and tell me there's a fix. There is a Linux BIOS for this machine but it's old and I don't know if it will actually address this issue.
I know I won't get any updates for the system for my 2012 Dell XPS 8500 (256 GB SSD, 16 GB RAM, i7 CPU - I don't see a need for an upgrade, it's all there).
Does that mean I'll just be left out cold? That's how I understand it.
When I run the Microsoft Powershell plugin that they made available to check the protection status (`Get-SpeculationControlSettings`) I get a "True" for 3 of 8 items (only showing those 3):
Windows OS support for branch target injection mitigation is present: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: True
Same boat for my XPS 8700, also kept around for same reason. 24gb ram i7 4th gen. Great for development, including VM work. Unless I was regularly doing video transcoding or heavy CAD work, it's more than fast enough.
Contacted Dell support and confirmed they will not be releasing a BIOS update for the system.
First harm to me from this issue. Not sure if it means I will have to join a class action against Dell or Intel
Might want to check again tomorrow. My Dell Desktop (Ivy Bridge/3rd Gen era) received a BIOS update today, specifically noting "Update to the latest CPU microcode to address CVE-2017-5715." It updates the ME firmware too for those recent bugs.
>It's worth noting that Windows Update may also fail to apply the Meltdown/Spectre patch if other conditions aren't met.
>... if your system firmware is not ready to accept the update, Windows Update will not apply it, and _it won't tell you_ that it's not applying it -- it will simply say 'Your device is up to date'.
The update enables mitigations for Meltdown regardless of firmware.
You need updated firmware for updated CPU microcode to mitigate Spectre.
>I had to dig around to find a page [2] that had some useful instructions allowing me to find out what the actual status of my Windows install was.
Pay specific attention to the dataflow. Registry keys have to be set in a certain order in order for a) the patch to download and install and b) actually enable.
If there is not a BIOS fix (I'm in the same boat as you), the other hope is that the OS or virtualization provider includes CPU microcode in their update to address this.
At this time, I do not believe Microsoft has included microcode in their current update. However, they do have the capability so that's something you can ask them about doing so at some point.
My laptop spent a few days spinning the fans and consuming bandwidth, repeatedly downloading, trying and failing to install this patch. Error code was different from the KB article, but I followed instructions anyway, downloaded manually and ran it and it worked fine.
“Customers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities unless their antivirus software vendor sets the following registry key”
Another incentive to stop using questionable AV software (since this was implemented because they can't get their act together).
No, another incentive to stop using Windows. 3rd party applications should NOT be responsible for insuring that the OS can receive critical security updates, and Microsoft should not be relying on 3rd party applications to determine whether or not their customers receive critical OS security updates (and of all things, hilariously defaulting to 'no')
From the article: "There is a problem where some anti-virus vendors are using techniques to bypass Kernel Patch Protection by injecting a hypervisor which they use to intercept syscalls and make assumptions about memory locations — memory locations which are now changing with the Meltdown fixes."
Difficult situation for Microsoft. If you install applications which mess with the operating system in unsupported ways you can't expect your system to function correctly with automatic updates. On the other hand, users are likely not aware of what they have done and bricking millions of computers is also not good. Might for example cause a backslash when people stop updating their systems.
This sounds like a quick and dirty fix they put in place while figuring out what to do.
I'm not sure it's that difficult for Microsoft. Unless I misunderstand something, the requirement is on the antivirus systems already registered with Microsoft. They had half a year. MS could force vendors to patch their shit in a few weeks by giving them an ultimatum: in January, either you don't interfere with kernel patching, or we're showing your customers "you antivirus is stopping you from receiving latest security patches, consider finding an alternative vendor".
They have reasons for doing it the other way, but I definitely blame them for not standing up to crap AV vendors in this and many other situations.
They could, but this isn't just a technical issue it's also a legal and political issue where several AV vendors are currently suing MS in the EU for alleged anti-trust behavior. So the lawyers compromise everybody's security.
that seems like a fairly questionable blame-shift for MS. If they don't have the guts to provide even that level of protection, yet more reason to shift away from them except for trivial things like gaming.
So if you edit the Kernel on your version of Ubuntu, then Canonical should be held responsible?
That seems like a crazy thought process. You're running software that modifies Window's internal functionality. The vendor knows it's unsupported. How can you blame the company who just made the platform you compromised?
Might as well set your root password to "password" and open it to the public then complain that the security is bad.
In fact your kernel does become "tainted" if you install unsupported kernel drivers (the closest equivalent to what the problematic Windows AVs do). If your support comes from RH, SuSE or similar vendors it usually becomes limited, depending on the kind of taint.
That's definitely one of the reasons to do it the way they have. But it's their choice. They chose to have a technical/security problem rather than a political/legal one. Or specifically they choose the customers to have a problem rather than themselves.
>>> I'm not sure it's that difficult for Microsoft.
Yes it is.
AV use various hacks and exploits to hijack calls to the kernel. How did you think they notify you of an infected file before you open the infected file? The AV intercepts kernel API calls to list and open files.
I wouldn't be surprised if the patch for meltdown/spectre breaks these techniques. Generally speaking, these techniques will crash the system if they didn't work as intended. Microsoft doesn't want AV to BSOD millions of computers so they don't update when they detect an AV. It's perfectly reasonable to me.
Might for example cause a backslash when people stop updating their systems.
So, again, the "where do you want to go today?" company decides "never mind, this is where you are going: we're stopping updates because you might have thought about it."
The problem is that anti-virus software is not a normal application, it is a weird, very complex kind of parasite that burrows deep into the operating system. This means Microsoft must be very careful, lest the parasite unintentionally kill the host.
Symbiont. The word you're looking for is symbiont, not parasite. A symbiont lives in harmony with the host, exchanging something in exchange for the resource it consumes (in this case protection). A parasite just takes, and gives nothing back to the host.
(Of course, let's ignore the obvious joke about some AV solutions like Symantec.)
Yeah, the distinction between a symbiont and a parasite is mostly of degree, not kind, and AV software these days is increasingly being found on the blurry line between the two.
> > and of all things, hilariously defaulting to 'no'
> It does not default to "no" since the default is to run MSE / Defender.
I think that it's reasonable to read the grandparent's post as meaning "defaulting to 'no' under certain conditions on the system". It would surprise me if there weren't plenty of users out there who have legacy workflows with antiquated antivirus software still running, either because they set it up and haven't changed it or because their local tech geeks set it up and they don't know how to change it. I know that, as I've tried gradually (and unsuccessfully) to ease back into Windows after a long time away, it's been hard for me to believe in Defender as a full AV solution, and my first instinct was to run old favourites like ClamAV as an extra layer of defence.
Seems like the EU and/or the FTC would want to talk to microsoft about microsoft requiring microsoft's AV to be installed before microsoft will update the OS.
Windows isn't going anywhere, if for no other reason than because Microsoft Excel is basically electronic paper to the business world -- and there is simply no adequate substitute for it. (No, neither OpenOffice Calc nor any of the Web-based offerings -- including Microsoft's own -- count.)
Coping with Windows is a fact of life. Get used to it.
Agreed. MS should cut off shady AV software if they are interfering in the windows update or security of the system. If they don't it tells us they have AV vendors higher on their priority list than end users. And that sucks.
> Microsoft should not be relying on 3rd party applications to determine whether or not their customers receive critical OS security updates (and of all things, hilariously defaulting to 'no')
The default is to use the 1st party product, Windows Defender, which defaults to 'yes'.
I'll never understand why AV is a third party software solution. I don't buy an Audi and then go to some other company and buy ABS and seat belts. This is a MS issue and should be handled in house.
Why doesn't Microsoft supply every component? Because of Anti-Trust Lawsuits. Microsoft has a monopoly position as a desktop operating system vendor. Any time they bundle software with the OS, it's grounds for a lawsuit in Europe.
Right, but MS provides AV or you can install a third party option instead. Just like you can install aftermarket brakes, suspension, ECUs or even seats and seatbelts in your Audi.
Ok but now you are talking about a different product (a PC) vs Microsoft Windows. The third party AV vendors are paying the PC manufacturer to bundle their products, they are not paying Microsoft.
In the PC case both Windows and AV are third party products.
In terms of catching viruses that are out there in the wild, ClamAV is the least good antivirus solution. But hey, open source and completely auditable!
Clamav (clamWin) will happily false positive and quarantine all sorts of files on a windows box, occasionally including required system files. I've tried it on 3 different boxes at different times over the past ~5 years and the amount of false positives was insane every time.
I don't think its ready to be run on Windows boxes unless you are a power user willing to manually verify ~100 files are not actually malware.
You can’t just stop using AV software I’m told. The key is checked for everyone, including people with no AV. Contrary to the sensational headlines, it is implied to be a temporary measure. It’s not really clear whether you’d have to only do this manually once, or on every subsequent update.
If you do it once, it may be that your AV isn't compatible with the patch and will cause your system to bluescreen and maybe not even turn on, so no, you really shouldn't do that.
Microsoft could at least pop up a nag screen every 15 minutes to notify the user that their AV software is crap and needs to be removed. The average user wont know that their AV is actively keeping their OS unpatched.
at initial patch release, not even all the well known had the registry key setting in place.... so its not just about questionable AV software when big corps considered "safe" (debatable) didnt have "their act together" either.
Perhaps one advantage of the walled-garden of Windows S. No virus checker needed if every piece of software is vetted by an online repository and everything runs in its own sandbox
> The compatibility registry key exists for a reason. I know. I can also see it’s a messy hacky fix. But it needs an end of life date
I couldn't agree more. As I've been devising a patching plan over the past few days I couldn't help but wonder "how long will I have to do this"? My hope is that in future OS releases (say, Windows Client/Server 1803) the mitigations will be default-on for clean installations (minimally).
Nope, Windows Defender has already set the registry key, and you should be good to go. For the rest of you, there is a good public document[0] that is being regularly updated on the status of each of the AV products out there.
Wow using a hypervisor to inject below the kernel to avoid KPP is nuts. Never knew the AVs did that. What are they going to do when Microsoft begins to use Hyper-V to enforce CredGuard[1]?
My windows 10 machines will not receive the update automatically for some reason. I think it is because I had defender completely disabled via group policy since it interferes with some of my development activities surrounding node.JS.
However I was able to install the security update manually from the Microsoft Windows update catalog download site. I did this after enabling defender briefly and updating it to ensure that the registry key was written.
The real-time scanning slows down processes that access a large number of files, like code compiles in general and importing node modules in particular.
I haven't noticed Windows Defender causing significant slowdowns for processes which access lots of files except when it does a full system scan (which is not often). Even then, it's only barely noticeable.
You could still get the reboots without updates ... which is what I've been getting for a few weeks now on a cheap tablet: loads update, reboots in the night, update fails. Rinse, repeat.
(I don't care, an update took down the sound last year. For all I know the next one will make the gizmo totally malfunction ... MS don't care for that cheapo segment either, the wanton demands for disk space are astounding, and they refuse to use their own exFat format on additional storage. Truly ready to ascend to Oracle level, they are.)
Throw Enterprise LTSB on old/low spec hardware. Thats my preferred Win10: stable, bloat free and it only gets the updates beta tested by the regular users.
"Windows 10 LTSB is only available as part of Windows 10 Enterprise. And Windows 10 Enterprise is only available to an organization with a volume licensing agreement, or through a new $7 per month subscription program."
Seriously? An OS of which you need an obscure, hard-to-get version, special messing around in power tools, and still might break randomly? This role reversal happening in the last 10 years is sad, really.
Slightly OT if I may: Is there any reason to use anything else than Defender these days? Chrome+uBlock, good email security and update practices, Defender just in case, do we need more?
Defender can be seen as merely being the lesser evil.
Consider CVE-2017-0290[0], which was caused by the MsMpEng process running a custom unsandboxed javascript interpreter with system privileges to evaluate untrusted code for maliciousness. Remotely exploitable over many unsolicited channels. Pretty much the worst kind of exploitability. Of course other AVs have done quite similar mistakes.
I had to dig around to find a page [2] that had some useful instructions allowing me to find out what the actual status of my Windows install was. I'm grateful to the author of that page, they provided critical info that neither Microsoft nor my machine's manufacturer did. I wish I could say that it boggles my mind that they could be so hushmouthed on the subject of a vulnerability this severe. Of course, my OEM (Lenovo) has not released an update for my Windows laptop (Yoga 900) since 2016, and as of today their support page [3] on Meltdown/Spectre does not indicate that they plan to do so.
I'm posting this partly in anger/despair, partly in the hope that I'm wrong and that someone will pop up to comment and tell me there's a fix. There is a Linux BIOS for this machine but it's old and I don't know if it will actually address this issue.
[1] https://support.microsoft.com/en-us/help/4056892/windows-10-... [2] https://www.bleepingcomputer.com/news/security/list-of-meltd... [3] https://support.lenovo.com/us/en/solutions/len-18282