Microsoft patches Windows to cool off Intel's Meltdown – wait, antivirus? Slow your roll

Check your anti-malware tool unless you like BSoDs


Microsoft has released updates for Windows to block attempts by hackers and malware to exploit the Meltdown vulnerability in Intel x86-64 processors – but you will want to check your antivirus software before applying the fixes.

The Redmond giant issued the out-of-band update late yesterday for Windows 10 version 1709.

While the documentation for the fix does not name Chipzilla's CPU-level vulnerability specifically, a Microsoft spokesman told El Reg it will hopefully protect Windows users from Meltdown exploits, and more patches are in the works. Meltdown is a design flaw in Intel's processors going back at least 2011 that allows normal user programs to read passwords, keys and other secrets from the operating system's protected kernel memory area. To prevent this from happening, the kernel has to be moved into a separate virtual address space from user processes.

The software giant is also deploying updates to its Azure cloud service to protect customers from attack. AMD processors are not affected by Meltdown.

Before rushing to install the patch, however, users and admins should note one important issue: the fix may not yet be compatible with your antivirus software.

Microsoft noted that, unless a registry key is updated by the antivirus package, installing the security patch can result in a blue screen of death (BSoD). For that reason, Microsoft said it has set the update to only apply when the registry key has been changed. In other words, antivirus tools must set the key when they are confirmed to be compatible with the operating system update. The patch introduces a significant change to the design of Windows' internal memory management, and this is probably tripping up anti-malware tools, which dig into and rely on low levels of the system.

Some AV vendors have already issued updates to change the key, and allow the fix to be applied without causing any cockups, while others have an update in the works to be released this week or early next week. The malware hunters expected the Windows patches to be released next week, and were caught out when Microsoft brought its patches forward after Meltdown exploit code emerged on the web.

Vendors reported to have updates are Symantec, F-Secure, Avast, and Microsoft's own Windows Defender platform. Check that link for a table of supported and not supported products – obviously, if there is no support, don't flip the key.

Users and admins who are comfortable editing Registry keys themselves can manually perform the task by setting the following:

Key="HKEY_LOCAL_MACHINE"Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat"
Value Name="cadca5fe-87d3-4b96-b7fb-a231484277cc"
Type="REG_DWORD”
Data="0x00000000”

Also, people installing the Windows Server patches should ensure they are enabled, too. They are disabled by default due to the potential performance hit involved. Casual desktop users and gamers shouldn't notice any difference, although servers running non-CPU-bound intensive workloads – such as anything that hammers disk storage, the network or just makes a lot of system calls – will suffer to some degree with the Meltdown patch applied. Your mileage may vary.

Elsewhere, Red Hat said it has also kicked out a patch for all three of the CVE listings (CVE-2017-5754, CVE-2017-5753, CVE-2017-5715) associated with the Spectre and Meltdown bugs. The vendor notes that the patch applies to versions of the kernel in releases as far back as RHEL 5. Red Hat's OpenStack and Virtualization releases will also get the fix. Check with your favorite Linux distro for similar updates. Apple quietly patched the Meltdown bug in macOS, and in iOS on its iThings, in December. ®


Other stories you might like

  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading
  • China-linked Twisted Panda caught spying on Russian defense R&D
    Because Beijing isn't above covert ops to accomplish its five-year goals

    Chinese cyberspies targeted two Russian defense institutes and possibly another research facility in Belarus, according to Check Point Research.

    The new campaign, dubbed Twisted Panda, is part of a larger, state-sponsored espionage operation that has been ongoing for several months, if not nearly a year, according to the security shop.

    In a technical analysis, the researchers detail the various malicious stages and payloads of the campaign that used sanctions-related phishing emails to attack Russian entities, which are part of the state-owned defense conglomerate Rostec Corporation.

    Continue reading
  • FTC signals crackdown on ed-tech harvesting kid's data
    Trade watchdog, and President, reminds that COPPA can ban ya

    The US Federal Trade Commission on Thursday said it intends to take action against educational technology companies that unlawfully collect data from children using online educational services.

    In a policy statement, the agency said, "Children should not have to needlessly hand over their data and forfeit their privacy in order to do their schoolwork or participate in remote learning, especially given the wide and increasing adoption of ed tech tools."

    The agency says it will scrutinize educational service providers to ensure that they are meeting their legal obligations under COPPA, the Children's Online Privacy Protection Act.

    Continue reading
  • Mysterious firm seeks to buy majority stake in Arm China
    Chinese joint venture's ousted CEO tries to hang on - who will get control?

    The saga surrounding Arm's joint venture in China just took another intriguing turn: a mysterious firm named Lotcap Group claims it has signed a letter of intent to buy a 51 percent stake in Arm China from existing investors in the country.

    In a Chinese-language press release posted Wednesday, Lotcap said it has formed a subsidiary, Lotcap Fund, to buy a majority stake in the joint venture. However, reporting by one newspaper suggested that the investment firm still needs the approval of one significant investor to gain 51 percent control of Arm China.

    The development comes a couple of weeks after Arm China said that its former CEO, Allen Wu, was refusing once again to step down from his position, despite the company's board voting in late April to replace Wu with two co-chief executives. SoftBank Group, which owns 49 percent of the Chinese venture, has been trying to unentangle Arm China from Wu as the Japanese tech investment giant plans for an initial public offering of the British parent company.

    Continue reading
  • SmartNICs power the cloud, are enterprise datacenters next?
    High pricing, lack of software make smartNICs a tough sell, despite offload potential

    SmartNICs have the potential to accelerate enterprise workloads, but don't expect to see them bring hyperscale-class efficiency to most datacenters anytime soon, ZK Research's Zeus Kerravala told The Register.

    SmartNICs are widely deployed in cloud and hyperscale datacenters as a means to offload input/output (I/O) intensive network, security, and storage operations from the CPU, freeing it up to run revenue generating tenant workloads. Some more advanced chips even offload the hypervisor to further separate the infrastructure management layer from the rest of the server.

    Despite relative success in the cloud and a flurry of innovation from the still-limited vendor SmartNIC ecosystem, including Mellanox (Nvidia), Intel, Marvell, and Xilinx (AMD), Kerravala argues that the use cases for enterprise datacenters are unlikely to resemble those of the major hyperscalers, at least in the near term.

    Continue reading

Biting the hand that feeds IT © 1998–2022