Patch Tuesday drops the mandatory antivirus requirement after all

amalthya / Flickr

In the immediate aftermath of the Spectre and Meltdown attacks, Microsoft created an unusual stipulation for Windows patches: systems would only receive the fixes if they had antivirus software installed and if that antivirus software created a special entry in the registry to indicate that it's compatible with the Windows fixes.

This was due to the particularly invasive nature of the Meltdown fix: Microsoft found that certain antivirus products manipulated Windows' kernel memory in unsupported ways that would crash systems with the Meltdown fix applied. The registry entry was a way for antivirus software to positively affirm that it was compatible with the Meltdown fix; if that entry was absent, Windows assumed that incompatible antivirus software was installed and hence did not apply the security fix.

This put systems without any antivirus software at all in a strange position: they too lack the registry entries, so they'd be passed over for fixes, even though they don't, in fact, have any incompatible antivirus software.

With the patches released today, Microsoft has reverted that policy, at least on Windows 10; the telemetry data collected by Windows indicates that incompatible antivirus software is sufficiently rare as to be a non-issue, so there's no point in blocking anything.

Windows 10 includes a compatible antivirus application as a built-in part of Windows, so there's little excuse to ever be using an incompatible product or no antivirus protection at all. Windows 8.1 likewise includes compatible protection as part of the operating system. Windows 7—which apparently still includes the restriction—is the big sticking point, as it has no built-in antivirus protection of its own, meaning that users must install something to receive fixes.

Microsoft has also updated the microcode package that contains processor-level updates for Intel and AMD processors to help mitigate some of the Spectre attacks. This microcode package must still be downloaded and installed manually, and it isn't (yet) being distributed by Windows Update. But the package provides an important alternative for those who lack a motherboard firmware containing the new microcode.

The actual patches today include one fix in particular that looks important. A cryptographic flaw has been found in CredSSP (Credential Security Support Provider), Microsoft's protocol that provides authentication for both remote desktop (RDP) connections and Windows Remote Management (WinRM) connections. With this flaw, a man-in-the-middle can steal authentication data and use it to execute commands remotely. While it's not generally recommended, people often use RDP connections across insecure links to provide secure access to remote systems. This isn't the first flaw to render that practice ill-advised, but it still happens regardless.

Today's patch addresses the cryptographic issue but is complicated because both clients and servers need to update, and to be secure, servers need to reject authentication attempts from out-of-date clients. Accordingly, there are configuration options to control whether or not a server will let an out-of-date client connect, and administrators will likely want to double-check the settings themselves before deploying.

Original Article

Leave a Reply