Microsoft require your antivirus provider to certify compatibility for future Windows updates
Microsoft said it is blocking security updates to Windows PCs for Spectre and Meltdown CPU flaws due to compatibility issue with some versions of Antivirus software. This security path was “only being made applicable to the machines where the Antivirus ISV has updated the ALLOW REGKEY,” the tech giant said. The future security updates will be released to Windows PCs only when a specific registry setting is changed, it revealed.
Microsoft said in a support page: “After investigating, Microsoft has determined that some AMD chipsets do not conform to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown.”
As a result, Microsoft placed the rollout of Windows Meltdown and Spectre Patches for AMD Devices on hold. “Customers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities unless their antivirus software vendor sets the following registry key,” it added.
According to Microsoft, the compatibility issue has arisen as some antivirus applications are making unsupported calls into Windows kernel memory. Therefore, the solution provided by Intel and Microsoft was to obstruct the kernel in its own isolated virtual memory address space, which will not allow the antivirus software that depends upon using deep links into the kernel to freely access it the way it used to do previously.
However, this may lead to stop errors (also known as blue screen errors) and, in some cases, even a total failure of the device to boot up. Hence, Microsoft said it has set the update to apply only when the registry key has been changed.
To help prevent stop errors that are caused by incompatible antivirus applications, Microsoft is only offering the Windows security updates that were released on January 3, 2018, to devices that are running antivirus software that is from partners who have confirmed that their software is compatible with the January 2018 Windows operating system security update.
Microsoft is also working closely with antivirus software partners to ensure that all customers receive the January Windows security updates as soon as possible.
Some antivirus vendors such as Avast, Avira, AVG, ESET, F-Secure, BitDefender, Kaspersky, Sophos, Malwarebytes, and Symantec are not only compatible with the patches but have also changed the registry key as per Microsoft’s guidelines.
If your system has not been offered the security update, then it may be running incompatible antivirus software, and you should check with the software vendor.
Microsoft is suggesting all its customers to run a compatible and supported antivirus program in order to protect their devices. Customers can take advantage of built-in antivirus protection, Windows Defender Antivirus, for Windows 8.1 and Windows 10 devices or a compatible third-party antivirus application.
Further, some antivirus software who do not have the ability to change Windows registry keys, may require some time to add those abilities to the software. Others who can’t install or run antivirus software, Microsoft recommends them to manually (which could be dangerous) set the registry key.
In order to receive the January 2018 security updates, the antivirus software must set a registry key to the startup sequence as described below, in order to certify that their software works with Microsoft’s patches.
You can check security researcher Kevin Beaumont’s list to see if your antivirus is compatible with the patches and if the antivirus vendors have changed the registry key.