Microsoft has updated its support notice to say that Windows computers will not receive any security updates at all until their AV software is certified compatible with the Spectre and Meltdown patches.
Windows PCs running anti-virus software that is incompatible with the recent Meltdown and Spectre patches will no longer receive any security updates, Microsoft has warned.
Spectre and Meltdown are design flaws in modern processors that could allow hackers to bypass system protections on a wide range of devices, allowing attackers to read sensitive information, such as passwords, from memory.
Microsoft has rolled out a series of patches for the flaws since January 3rd, but last week said these patches would not be pushed to computers running incompatible third-party AV.
SEE: Incident response policy (Tech Pro Research)
Now Microsoft has updated its support notice to say that Windows computers will not receive any security updates at all until their AV software is certified compatible with the Spectre and Meltdown patches. Windows systems will not be certified as compatible until the AV vendor sets a specific key in the Windows registry.
"Customers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities unless their antivirus software vendor sets the following registry key," says Microsoft.
Security researcher Kevin Beaumont has put together a list of antivirus products that are compatible with Microsoft's Spectre and Meltdown updates, and which have set the Windows registry key.
Compatible anti-virus products include those from Avast, AVG, Avira, Bitdefender, ESET, F-Secure, Kaspersky, Malwarebytes, Sophos, and Symantec. Systems running McAfee, TrendMicro, and Webroot software are also expected to be eligible to receive the updates soon.
Various other security providers, including Cylance, FireEye and Palo Alto Networks, have not yet set the registry key, but claim their products are compatible.
Beaumont says that companies whose AV products are designed to be used alongside other security software say they are loathe to set the key, in case other software on the system clashes with the fix.
System admins can manually set the registry key, however, Microsoft warns that doing so may cause serious problems that "require you to reinstall your operating system". To manually update the registry, follow this guide.
- Spectre and Meltdown: Insecurity at the heart of modern CPU design (ZDNet)
- Microsoft says older Windows versions will face greatest performance hits after Meltdown, Spectre patches (ZDNet)
- zHow the Meltdown and Spectre chip flaws will impact cloud computing (TechRepublic)
- Windows Meltdown patch: Find out if your PC is compatible (TechRepublic)
- Emergency Windows Meltdown patch may be incompatible with your PC (TechRepublic)
- Massive Intel CPU flaw: Understanding the technical details of Meltdown and Spectre(TechRepublic)
- Critical flaws revealed to affect most Intel chips since 1995 (ZDNet)
- Nope, no Intel chip recall after Spectre and Meltdown, CEO says (CNET)
- Intel chips have critical design flaw, and fixing it will slow Linux, Mac, and Windows systems(TechRepublic)
- Special report: The future of Everything as a Service (free PDF) (TechRepublic)
- Linux security: Google fuzzer finds ton of holes in kernel's USB subsystem (ZDNet)
- How to upgrade the Linux kernel with a handy GUI (TechRepublic)
- Intel: We've found severe bugs in secretive Management Engine, affecting millions (ZDNet)
- PowerShell: The smart person's guide (TechRepublic)