Microsoft is having a different type of Patch Tuesday, instead of simply pushing out security updates the company is dealing with several new issues surrounding the patches it released last week to mitigate issues surrounding the Spectre/Meltdown vulnerabilities found in Intel's processors.
The latest problems include a direct conflict between the patches and some AMD processors that has proven severe enough for Microsoft to halt the update roll out along with the company's statement that it will not roll out the Spectre/Meltdown patches to computers running incompatible antivirus software. In these cases Microsoft is requiring the end user to either change the A/V software, wait for the cybersecurity company to update its product or even edit registry settings on their own, a task beyond the ability of most people.
Microsoft announced today that some AMD chipsets are having trouble accepting the updates putting the computers into an unbootable state, or Blue Screen of Death, so it has temporarily halted the roll out until a resolution can be found. This can take place even if the system running on the AMD processor have the proper A/V software, Microsoft said.
“After investigating, Microsoft determined that some AMD chipsets do not conform to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown,” Microsoft support wrote, adding it is working with AMD on a solution.
Microsoft patches have resulted in creating a Blue Screen of Death in the past, Jerome Segura, Malwarebytes lead malware intelligence analyst, told SC Media, but in this case end users are being confronted with a series of confusing issues when they try to patch the processor vulnerabilities.
“Microsoft's patches have always been the subject of heated discussions, and there were a few memorable BSOD crashes in the past that have left many feeling uneasy. At the moment, a lot of attention is centered around performance impacts after applying the Meltdown fix. Unfortunately, for most people this is making it more difficult to gauge what to do when receive conflicting messages,” he said.
The potentially even more severe problem is Microsoft's latest requirement that computers run compatible A/V software in order to receive security updates. Although a great many varieties are already, or soon will become compatible, there are those who could find themselves with a computer that cannot be updated.
Independent cybersecurity researcher Kevin Beaumont has put together and made public a list of products noting whether or not they comply with Microsoft.
I've made "CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754 (Meltdown and Spectre) Windows antivirus patch compatibility" spreadsheet - until vendors add support you remain vulnerable. https://t.co/3rdVUJKS0k
— Kevin Beaumont (@GossiTheDog) January 4, 2018
<script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
For some people their problem will center around Microsoft's new requirement that all A/V product have a specific registry key set. Without this key new updates will not be pushed to a computer and while most companies either have already or are in the process of placing the key in their products there are some people that could be caught out in the cold. These individuals may find it necessary to play IT professional and set it themselves a task that the average, or even skilled, person may not be able to accomplish.
“We cannot expect people to manually edit registry settings on their own, but Microsoft had to weigh the pros and cons looking at its telemetry data, and most likely decided that the requirement was worth the risk. The most people likely to be affected are those running Windows 7 since it does not have an antivirus installed by default, therefore missing the needed switch that allows updates to come through,” Segura said.
In addition to Microsoft, a long list of affected companies have released patches to fix Spectre/Meltdown. This includes Apple, Amazon and Linux.
