Microsoft Disables Windows Updates on Systems Without Spectre/Meltdown-Compliant AV Software
In yet another example that demonstrates how adding Anti-Virus (AV) software on a computer can make it less secure, Microsoft has halted the deployment of important security patches to fix Spectre and Meltdown vulnerabilities if a computer's AV software is not updated to their satisfaction.
Starting with Windows XP and Server 2003, Microsoft introduced a security feature called Kernel Patch Protection (KPP) with the intention of preventing malicious modification of the kernel by malware such as rootkits. To combat the need to completely rewrite their software, many AV vendors employ techniques to bypass KPP to intercept syscalls and rely on memory location speculation, which are now changing with Spectre and Meltdown patches.
The effects of the AV Industry's KPP bypassing techniques are already being seen with many Intel and AMD processor-based computers becoming unbootable or stuck in an endless boot loop after applying the latest Meltdown and Spectre patches. In response to these problems, Microsoft, Intel, and AMD have stopped pushing these patches to potentially affected machines until the patches can be further QA'd or the AV software stops employing KPP bypassing techniques.
In order for an AV vendor to certify that their software has been updated and is compliant with the new patches, Microsoft is requiring a particular registry key to be set before updates will resume.
Microsoft writes in a support article: “Customers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities unless their antivirus software vendor sets the following registry key”
Making matters worse, the Windows Update halt not only affects standard Windows Update, but also affects WSUS and SCCM-managed endpoinnts. Endpoints not compliant to receive new Windows Updates will appear as "Not applicable/Not Required" to the management platform, giving a false sense of security that the endpoints are fully updated. The January 2018 patch updates not only include the Spectre and Meltdown patches, but also other critical fixes, such as a Privilege Escalation bug in the SMB protocol. (CVE-2018-0749)
Even when an AV vendor certifies itself as compliant with Microsoft, some are still cautioning not to install the updates, as is the case with Symantec:
Companies like Palo Alto Networks and Cylance, who brand themselves as "Next-Generation AV", are not going to set the Registry key (WONTFIX) and require organizations to manually set the key if they wish to continue receiving Windows Updates:
It is clear that the Spectre and Meltdown vulnerabilities and their patches will fundamentally change the way applications interact with the kernel and careful planning and consideration will be required to ensure machines continue functioning properly after patching. Even though Google Project Zero responsibly disclosed Spectre and Meltdown in July 2017, that was still not enough time for vendors to perform the necessary updates to adequately mitigate or eliminate the vulnerability.
Microsoft puts it bluntly that if a computer has outdated, no longer supported, non-compliant, End of Life'd, or invalid license, that computer "will not be protected from security vulnerabilities."
The Zscaler Cloud is believed to not be affected by the Meltdown and Spectre vulnerabilities as outlined in the following corporate blog: https://www.zscaler.com/blogs/corporate/meltdown-and-spectre-vulnerabilities-protecting-zscaler-cloud
Tracker for AV software that is compliant and sets the Registry key: https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/edit#gid=0