Hacker News new | past | comments | ask | show | jobs | submit login
Microsoft disables Windows Update when Meltdown/Spectre registry key isn't set (doublepulsar.com)
188 points by graystevens on Jan 9, 2018 | hide | past | favorite | 101 comments

It's worth noting that Windows Update may also fail to apply the Meltdown/Spectre patch if other conditions aren't met. Some are mentioned on the KB page [1] but they don't mention another common scenario, which is that if your system firmware is not ready to accept the update, Windows Update will not apply it, and _it won't tell you_ that it's not applying it -- it will simply say 'Your device is up to date'.

I had to dig around to find a page [2] that had some useful instructions allowing me to find out what the actual status of my Windows install was. I'm grateful to the author of that page, they provided critical info that neither Microsoft nor my machine's manufacturer did. I wish I could say that it boggles my mind that they could be so hushmouthed on the subject of a vulnerability this severe. Of course, my OEM (Lenovo) has not released an update for my Windows laptop (Yoga 900) since 2016, and as of today their support page [3] on Meltdown/Spectre does not indicate that they plan to do so.

I'm posting this partly in anger/despair, partly in the hope that I'm wrong and that someone will pop up to comment and tell me there's a fix. There is a Linux BIOS for this machine but it's old and I don't know if it will actually address this issue.

[1] https://support.microsoft.com/en-us/help/4056892/windows-10-... [2] https://www.bleepingcomputer.com/news/security/list-of-meltd... [3] https://support.lenovo.com/us/en/solutions/len-18282

I know I won't get any updates for the system for my 2012 Dell XPS 8500 (256 GB SSD, 16 GB RAM, i7 CPU - I don't see a need for an upgrade, it's all there).

Does that mean I'll just be left out cold? That's how I understand it.

When I run the Microsoft Powershell plugin that they made available to check the protection status (`Get-SpeculationControlSettings`) I get a "True" for 3 of 8 items (only showing those 3):

  Windows OS support for branch target injection mitigation is present: True
  Windows OS support for kernel VA shadow is present: True
  Windows OS support for kernel VA shadow is enabled: True

Same boat for my XPS 8700, also kept around for same reason. 24gb ram i7 4th gen. Great for development, including VM work. Unless I was regularly doing video transcoding or heavy CAD work, it's more than fast enough.

Contacted Dell support and confirmed they will not be releasing a BIOS update for the system.

First harm to me from this issue. Not sure if it means I will have to join a class action against Dell or Intel

Might want to check again tomorrow. My Dell Desktop (Ivy Bridge/3rd Gen era) received a BIOS update today, specifically noting "Update to the latest CPU microcode to address CVE-2017-5715." It updates the ME firmware too for those recent bugs.

Thanks for the heads, I'll keep an eye out, but it's not listed on the following consumer systems list


>It's worth noting that Windows Update may also fail to apply the Meltdown/Spectre patch if other conditions aren't met.

>... if your system firmware is not ready to accept the update, Windows Update will not apply it, and _it won't tell you_ that it's not applying it -- it will simply say 'Your device is up to date'.

The update enables mitigations for Meltdown regardless of firmware.

You need updated firmware for updated CPU microcode to mitigate Spectre.

>I had to dig around to find a page [2] that had some useful instructions allowing me to find out what the actual status of my Windows install was.

All this is transparently revealed when you run `Get-SpeculationControlSettings`, which is mentioned in the update guidelines, eg https://support.microsoft.com/en-us/help/4073119/

There's a lot of confusing information out there as you have found out.

This link helps clarify the steps needed. https://doublepulsar.com/important-information-about-microso...

Pay specific attention to the dataflow. Registry keys have to be set in a certain order in order for a) the patch to download and install and b) actually enable.

If there is not a BIOS fix (I'm in the same boat as you), the other hope is that the OS or virtualization provider includes CPU microcode in their update to address this.

At this time, I do not believe Microsoft has included microcode in their current update. However, they do have the capability so that's something you can ask them about doing so at some point.

Seems like Intel has released updated microcode: https://news.ycombinator.com/item?id=16111433

but sadly no mention of what Windows users are supposed to do.

At this time, nothing other than update BIOS.

My Windows systems are VMs so I updated to the latest ESXI release (as of yesterday) which includes microcode. See https://www.vmware.com/us/security/advisories/VMSA-2018-0004...

My laptop spent a few days spinning the fans and consuming bandwidth, repeatedly downloading, trying and failing to install this patch. Error code was different from the KB article, but I followed instructions anyway, downloaded manually and ran it and it worked fine.

“Customers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities unless their antivirus software vendor sets the following registry key”

Another incentive to stop using questionable AV software (since this was implemented because they can't get their act together).

No, another incentive to stop using Windows. 3rd party applications should NOT be responsible for insuring that the OS can receive critical security updates, and Microsoft should not be relying on 3rd party applications to determine whether or not their customers receive critical OS security updates (and of all things, hilariously defaulting to 'no')

From the article: "There is a problem where some anti-virus vendors are using techniques to bypass Kernel Patch Protection by injecting a hypervisor which they use to intercept syscalls and make assumptions about memory locations — memory locations which are now changing with the Meltdown fixes."

Difficult situation for Microsoft. If you install applications which mess with the operating system in unsupported ways you can't expect your system to function correctly with automatic updates. On the other hand, users are likely not aware of what they have done and bricking millions of computers is also not good. Might for example cause a backslash when people stop updating their systems.

This sounds like a quick and dirty fix they put in place while figuring out what to do.

I'm not sure it's that difficult for Microsoft. Unless I misunderstand something, the requirement is on the antivirus systems already registered with Microsoft. They had half a year. MS could force vendors to patch their shit in a few weeks by giving them an ultimatum: in January, either you don't interfere with kernel patching, or we're showing your customers "you antivirus is stopping you from receiving latest security patches, consider finding an alternative vendor".

They have reasons for doing it the other way, but I definitely blame them for not standing up to crap AV vendors in this and many other situations.

They could, but this isn't just a technical issue it's also a legal and political issue where several AV vendors are currently suing MS in the EU for alleged anti-trust behavior. So the lawyers compromise everybody's security.

that seems like a fairly questionable blame-shift for MS. If they don't have the guts to provide even that level of protection, yet more reason to shift away from them except for trivial things like gaming.

So if you edit the Kernel on your version of Ubuntu, then Canonical should be held responsible?

That seems like a crazy thought process. You're running software that modifies Window's internal functionality. The vendor knows it's unsupported. How can you blame the company who just made the platform you compromised?

Might as well set your root password to "password" and open it to the public then complain that the security is bad.

In fact your kernel does become "tainted" if you install unsupported kernel drivers (the closest equivalent to what the problematic Windows AVs do). If your support comes from RH, SuSE or similar vendors it usually becomes limited, depending on the kind of taint.

That's definitely one of the reasons to do it the way they have. But it's their choice. They chose to have a technical/security problem rather than a political/legal one. Or specifically they choose the customers to have a problem rather than themselves.

>>> I'm not sure it's that difficult for Microsoft.

Yes it is.

AV use various hacks and exploits to hijack calls to the kernel. How did you think they notify you of an infected file before you open the infected file? The AV intercepts kernel API calls to list and open files.

I wouldn't be surprised if the patch for meltdown/spectre breaks these techniques. Generally speaking, these techniques will crash the system if they didn't work as intended. Microsoft doesn't want AV to BSOD millions of computers so they don't update when they detect an AV. It's perfectly reasonable to me.

Might for example cause a backslash when people stop updating their systems.

So, again, the "where do you want to go today?" company decides "never mind, this is where you are going: we're stopping updates because you might have thought about it."

The problem is that anti-virus software is not a normal application, it is a weird, very complex kind of parasite that burrows deep into the operating system. This means Microsoft must be very careful, lest the parasite unintentionally kill the host.

Typically, that would be called "a virus"

Can a virus make its host dependant on it?

No. "Symbiote," likely; "parasite," perhaps. "Virus," not at all.

Symbiont. The word you're looking for is symbiont, not parasite. A symbiont lives in harmony with the host, exchanging something in exchange for the resource it consumes (in this case protection). A parasite just takes, and gives nothing back to the host.

(Of course, let's ignore the obvious joke about some AV solutions like Symantec.)

Given your definitions, I'm pretty sure commercial AV is just parasites.

Yeah, the distinction between a symbiont and a parasite is mostly of degree, not kind, and AV software these days is increasingly being found on the blurry line between the two.

>3rd party applications should NOT be responsible for insuring that the OS can receive critical security updates

It is because these (misbehaved) 3rd party applications do things that cause the mitigations update to make computers unusable.

>and of all things, hilariously defaulting to 'no'

It does not default to "no" since the default is to run MSE / Defender.

> > and of all things, hilariously defaulting to 'no'

> It does not default to "no" since the default is to run MSE / Defender.

I think that it's reasonable to read the grandparent's post as meaning "defaulting to 'no' under certain conditions on the system". It would surprise me if there weren't plenty of users out there who have legacy workflows with antiquated antivirus software still running, either because they set it up and haven't changed it or because their local tech geeks set it up and they don't know how to change it. I know that, as I've tried gradually (and unsuccessfully) to ease back into Windows after a long time away, it's been hard for me to believe in Defender as a full AV solution, and my first instinct was to run old favourites like ClamAV as an extra layer of defence.

It isn't relying on it - MS recommends people use Defender, which works fine. But unfortunately not everyone is doing that.

Ironically Defender was preventing me from receiving Windows updates, so I had to turn it off. I assume that means I'm in a catch-22.

Seems like the EU and/or the FTC would want to talk to microsoft about microsoft requiring microsoft's AV to be installed before microsoft will update the OS.

But they don't - third party AV software can update the registry key.

Windows isn't going anywhere, if for no other reason than because Microsoft Excel is basically electronic paper to the business world -- and there is simply no adequate substitute for it. (No, neither OpenOffice Calc nor any of the Web-based offerings -- including Microsoft's own -- count.)

Coping with Windows is a fact of life. Get used to it.

You've decided to make it part of your life.

Plenty of us have gotten rid of that virus years ago; yes even at work.

>Coping with Windows is a fact of life. Get used to it.

echoes from 1998.


Your use of the word 'coping' is telling.

p.s. I can't remember the last time I touched MS software outside of a VM.

There's MS Excel (and office) for Mac and Wine supports Office 2013. The situation is getting better every year.

And MS Office for Android.

Agreed. MS should cut off shady AV software if they are interfering in the windows update or security of the system. If they don't it tells us they have AV vendors higher on their priority list than end users. And that sucks.

> Microsoft should not be relying on 3rd party applications to determine whether or not their customers receive critical OS security updates (and of all things, hilariously defaulting to 'no')

The default is to use the 1st party product, Windows Defender, which defaults to 'yes'.

I'll never understand why AV is a third party software solution. I don't buy an Audi and then go to some other company and buy ABS and seat belts. This is a MS issue and should be handled in house.

Why doesn't Microsoft supply every component? Because of Anti-Trust Lawsuits. Microsoft has a monopoly position as a desktop operating system vendor. Any time they bundle software with the OS, it's grounds for a lawsuit in Europe.

>I'll never understand why AV is a third party software solution.

It has been first-party for many years - MSE was released 2009-09 per Wikipedia.


Maybe not a great analogy: ABS components and seat belts are, in all likely hood, manufactured by a third-party who specialises in such.

But I don't have to go get them installed myself. So it's Audi's problem, not mine.

Right, but MS provides AV or you can install a third party option instead. Just like you can install aftermarket brakes, suspension, ECUs or even seats and seatbelts in your Audi.

PCs often (mostly?) ship with third-party anti-virus software because AV companies pay them to install it.

Ok but now you are talking about a different product (a PC) vs Microsoft Windows. The third party AV vendors are paying the PC manufacturer to bundle their products, they are not paying Microsoft.

In the PC case both Windows and AV are third party products.

Note that one of the antivirus software vendors that does this correctly is, in fact, Microsoft Defender.

If you haven't installed dodgy third-party AV, you're fine.

Which third-party AV isn't dodgy?


Unfortunately I have no reason to use it, though. I don't even know whether it's any good. But at least I know it's not dodgy!

In terms of catching viruses that are out there in the wild, ClamAV is the least good antivirus solution. But hey, open source and completely auditable!

Clamav (clamWin) will happily false positive and quarantine all sorts of files on a windows box, occasionally including required system files. I've tried it on 3 different boxes at different times over the past ~5 years and the amount of false positives was insane every time.

I don't think its ready to be run on Windows boxes unless you are a power user willing to manually verify ~100 files are not actually malware.

Malwarebytes? Not really an AV I guess.

You're not fine if you've disabled Windows Defender.

You can’t just stop using AV software I’m told. The key is checked for everyone, including people with no AV. Contrary to the sensational headlines, it is implied to be a temporary measure. It’s not really clear whether you’d have to only do this manually once, or on every subsequent update.

The questions and answers in Microsoft's own doco imply once.

* https://news.ycombinator.com/item?id=16076660

That makes sense to me, but then why the need for AV to repeatedly set the key?

If you do it once, it may be that your AV isn't compatible with the patch and will cause your system to bluescreen and maybe not even turn on, so no, you really shouldn't do that.

If you have no AV, you can be pretty sure that’s not an issue.

Microsoft could at least pop up a nag screen every 15 minutes to notify the user that their AV software is crap and needs to be removed. The average user wont know that their AV is actively keeping their OS unpatched.

at initial patch release, not even all the well known had the registry key setting in place.... so its not just about questionable AV software when big corps considered "safe" (debatable) didnt have "their act together" either.

there was a list posted yesterday on compatibility that is continued to be updated: https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLp...

The bane of open software: users can install any trash they want to.

Perhaps one advantage of the walled-garden of Windows S. No virus checker needed if every piece of software is vetted by an online repository and everything runs in its own sandbox

So finally there's a way to disable updates on Windows 10... ;)

I think at this time if you're on windows 10 you should really just use Defender.

It works well, they are actively developing it, and the new white list based directory protection is kinda neat if you're scared of ransomware.

What feature are you talking about specifically?

> The compatibility registry key exists for a reason. I know. I can also see it’s a messy hacky fix. But it needs an end of life date

I couldn't agree more. As I've been devising a patching plan over the past few days I couldn't help but wonder "how long will I have to do this"? My hope is that in future OS releases (say, Windows Client/Server 1803) the mitigations will be default-on for clean installations (minimally).

Do I have to do anything if I'm just using Windows Defender?

Nope, Windows Defender has already set the registry key, and you should be good to go. For the rest of you, there is a good public document[0] that is being regularly updated on the status of each of the AV products out there.


Does Microsoft Security Essentials fall under Windows Defender for the purposes of this article?

Wow using a hypervisor to inject below the kernel to avoid KPP is nuts. Never knew the AVs did that. What are they going to do when Microsoft begins to use Hyper-V to enforce CredGuard[1]?

[1]: https://blogs.technet.microsoft.com/ash/2016/03/02/windows-1...

Turns out nested virtualization is a thing. Jesus.

My windows 10 machines will not receive the update automatically for some reason. I think it is because I had defender completely disabled via group policy since it interferes with some of my development activities surrounding node.JS.

However I was able to install the security update manually from the Microsoft Windows update catalog download site. I did this after enabling defender briefly and updating it to ensure that the registry key was written.

I'm real curious what kind of development you're doing with node.JS where Windows Defender causes trouble.

The real-time scanning slows down processes that access a large number of files, like code compiles in general and importing node modules in particular.

I haven't noticed Windows Defender causing significant slowdowns for processes which access lots of files except when it does a full system scan (which is not often). Even then, it's only barely noticeable.

I've disabled defender due to high CPU usage on machines that had to slice mpegs into jpegs with near constant work.

The machine was slicing up 11 channels of 24fps videos into jpegs, so 264 jpegs/s at 720p and 24 bit color.

I've had friends and coworkers that have hit the same CPU issues with big git repos and defender.

It seems like Defender has problems with getting hit with tons of small files in quick succession, but really I know very little about it.

Why not just exclude nodemodules folder and temp/cache? This helps me enough.

You could have also just manually created the registry key

Finally a fix for forced reboots!

You could still get the reboots without updates ... which is what I've been getting for a few weeks now on a cheap tablet: loads update, reboots in the night, update fails. Rinse, repeat.

(I don't care, an update took down the sound last year. For all I know the next one will make the gizmo totally malfunction ... MS don't care for that cheapo segment either, the wanton demands for disk space are astounding, and they refuse to use their own exFat format on additional storage. Truly ready to ascend to Oracle level, they are.)

Throw Enterprise LTSB on old/low spec hardware. Thats my preferred Win10: stable, bloat free and it only gets the updates beta tested by the regular users.

"Windows 10 LTSB is only available as part of Windows 10 Enterprise. And Windows 10 Enterprise is only available to an organization with a volume licensing agreement, or through a new $7 per month subscription program."

Seriously? An OS of which you need an obscure, hard-to-get version, special messing around in power tools, and still might break randomly? This role reversal happening in the last 10 years is sad, really.

Yeah, had me confused for a while. Easy to set with a group policy, though.

Still, could have been better communicated.

Another consequence of this is that windows will disable updates when you do not have any anti-virus software running as well.

Slightly OT if I may: Is there any reason to use anything else than Defender these days? Chrome+uBlock, good email security and update practices, Defender just in case, do we need more?

No, not that I am aware of. 3rd party AV are liabilities at this point.


Defender can be seen as merely being the lesser evil.

Consider CVE-2017-0290[0], which was caused by the MsMpEng process running a custom unsandboxed javascript interpreter with system privileges to evaluate untrusted code for maliciousness. Remotely exploitable over many unsolicited channels. Pretty much the worst kind of exploitability. Of course other AVs have done quite similar mistakes.

[0] https://bugs.chromium.org/p/project-zero/issues/detail?id=12...

No, there isn't. Antivirus only protects against known threats anyway, and Windows Defender works fine for that.

I haven't used anything other than Defender (and the Microsoft tool that predated it, can't remember the name) in ages. I've never had any issues.

Microsoft Security Essentials?

Yep, that's the one.

Defender's presence on my XPS 2015 is the difference between a useable laptop and an eternity of hourglass cursors.

3rd party AV generally has better hit rates and the good ones are dramatically less demanding of system resources (happy with NOD32 here)

not the free consumer kind. Some business/enterprise stuff is useful (e.g. eset), but thats not helpful to the average consumer.

Yes, http://www.bromium.com adds next level security to Windows environments.

I don't think your comment should be downvoted, but Bromium also adds a revolting lag, clumsiness and instability.

Indeed but if you need security it’s a good solution.

I must have upset the hive mind by sharing a link. Oh well, hopefully someone finds value here.

Applications are open for YC Winter 2023

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact