Important information about Microsoft Meltdown CPU security fixes, antivirus vendors and you
\nLast week, Microsoft issued January\u2019s cumulative security fixes for January 2018. Although the media focus has been around \u201cMeltdown\u201d and \u201cSpectre\u201d CPU fixes, these patches also include a range of important security fixes\u200a\u2014\u200aincluding patches to SMB server.<\/p>\n
https:\/\/doublepulsar.com\/important-information-about-microsoft-meltdown-cpu-security-fixes-antivirus-vendors-and-you-a852ba0292ec<\/a><\/p>\n These updates came with many caveats, and the Microsoft knowledge base articles have had extensive edits since publishing. There\u2019s some really important things you should know before trying to apply the patches.<\/p>\n The main thing to know is the January patches, and currently all future security patches, will not install unless antivirus vendors take action\u200a\u2014\u200aand some don\u2019t want to or feel they cannot.<\/p>\n Microsoft require your Anti-Virus provider to certify compatibility To be honest, some of the techniques are similar to ones used by rootkits\u200a\u2014\u200aKernel Patch Protection was introduced by Microsoft a decade ago to combat rootkits, in fact. Because some anti-virus vendors are using very questionable techniques they end up cause systems to \u2018blue screen of death\u2019\u200a\u2014\u200aaka get into reboot loops. This shouldn\u2019t be possible in the latest operating systems, but some anti-virus vendors have managed it by taking themselves into the hypervisor\u200a\u2014\u200aor \u201chardware assisted\u201d as you\u2019ll sometimes read in marketing material. Anti-Virus makers really shouldn\u2019t be messing with systems like this.<\/p>\n In order to combat this Microsoft have requested Anti-Virus vendors to add a registry key every time they startup, to certify their product is working with the CPU fixes:<\/p>\n https:\/\/support.microsoft.com\/en-us\/help\/4072699\/january-3-2018-windows-security-updates-and-antivirus-software<\/p>\n You\u2019ll find this bit very important:<\/p>\n \u201cCustomers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities unless their antivirus software vendor sets the following registry key\u201d To remind you, if you don\u2019t get this right\u200a\u2014\u200afor example, your antivirus provider fails to set the key, your antivirus license has expired or antivirus is just broken on a PC, no more security updates will work and you \u201cwill not be protected from security vulnerabilities\u201d in the words of Microsoft.<\/p>\n To make matters worse, in WSUS and SCCM, PCs and servers show the patches as Not Applicable\/Not Required, making it look like systems are fully patched. They aren\u2019t.<\/p>\n Tracking Anti-Virus vendors who have added the registry key CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754 (Meltdown and Spectre) Windows antivirus patch\u2026<\/p>\n Patch tracking spreadsheet In the case of some antivirus vendors, it has been a bumpy road. E.g. with Symantec Endpoint Protection, although engine updates now exist, Symantec recommend you don\u2019t apply the Microsoft fixes at the time of writing:<\/p>\n Next Gen Endpoint providers aren\u2019t applying the registry fix Except they aren\u2019t setting the registry key for compatibility\u200a\u2014\u200aalmost all of them claim because they don\u2019t want to risk blue screening a system, in case the customer also has other antivirus software installed.<\/p>\n Here\u2019s Palo-Alto as an example:<\/p>\n Their support article for this (customers only) says:<\/p>\n So if you use Palo-Alto to replace your legacy antivirus, congrats, you won\u2019t be protected from security vulnerabilities on your endpoint unless you manually create the registry key antivirus vendors are supposed to create. Palo-Alto are a member of Microsoft MAPP, and have seen the requirements.<\/p>\n Since TRAPS protects you from known and unknown exploits you might think you are protected from Meltdown, but.. well..<\/p>\n Palo-Alto aren\u2019t alone. For example, Cylance with CylancePROTECT now boast\u200a\u2014\u200aincluding in sales pitches and on their website\u200a\u2014\u200athey can now replace antivirus.<\/p>\n However, Cylance too don\u2019t automatically set the registry key.<\/p>\n These two examples are common across the \u2018next gen\u2019 vendors I\u2019ve checked out, they simply don\u2019t feel able to set the registry key, which can create this customer journey:<\/p>\n Buy a next gen security product to replace antivirus and detect unknown exploits and malware. Call to antivirus vendors Call to next gen antivirus vendors Call to Microsoft There is also another element here\u200a\u2014\u200aon Windows Server, the Meltdown and Spectre patches don\u2019t actually do a thing.<\/p>\n Here\u2019s a diagram I made of how enabling is handled:<\/p>\n The Microsoft guide here is:<\/p>\n https:\/\/support.microsoft.com\/en-us\/help\/4072698\/windows-server-guidance-to-protect-against-the-speculative-execution<\/p>\n Here\u2019s the guidance:<\/p>\n To enable the fix And if you do, keep in mind:<\/p>\n Wrapping up, this has been incredibly messy for everybody involved. My belief is organisations shouldn\u2019t rush these patches out. They need to carefully test and see where they need to mitigate the vulnerability. The vulnerability only exists if you can run code on the device. The Meltdown and Spectre vulnerabilities are \u201cinformation disclosure\u201d, which means you need code execution to read memory. So\u200a\u2014\u200ato give an example\u200a\u2014\u200aif you\u2019re worried about somebody owning your Active Directory or SQL Server, to attack with this vulnerability they would already need access to your Active Directory or SQL Server to run code. If they can run code, it\u2019s already game over.<\/p>\n This isn\u2019t as black and white as the world is melting. Organisations need to carefully assess and manage their situation.<\/p>\n It\u2019s also my first month ever as a security vulnerability manager at my new job. Hello. It has been an interesting week.<\/p>\n ~k<\/p>\n","protected":false},"excerpt":{"rendered":" Important information about Microsoft Meltdown CPU security fixes, antivirus vendors and you Last week, Microsoft issued January\u2019s cumulative security fixes for January 2018. Although the media focus has been around \u201cMeltdown\u201d and \u201cSpectre\u201d CPU fixes, these patches also include a … Read More »<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"_links":{"self":[{"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1990"}],"collection":[{"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1990"}],"version-history":[{"count":1,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1990\/revisions"}],"predecessor-version":[{"id":1991,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1990\/revisions\/1991"}],"wp:attachment":[{"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1990"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1990"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1990"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nThere is a problem where some anti-virus vendors are using techniques to bypass Kernel Patch Protection by injecting a hypervisor which they use to intercept syscalls and make assumptions about memory locations\u200a\u2014\u200amemory locations which are now changing with the Meltdown fixes.<\/p>\n
\nUntil Anti-Virus makers add this registry key, you don\u2019t get any security fixes.
\nPlease note not only does this impact Windows Update, it also impacts Windows Server Update Services (WSUS) and System Center Configuration Manager (SCCM).<\/p>\n
\nI have made a spreadsheet to track vendors who have complied, or not, with the instructions from Microsoft:<\/p>\n
\nYou should look for vendors who are \u201cY, Y\u201d\u200a\u2014\u200athis means their products support the January 2018 security patch, and set the compatibility registry key.<\/p>\n
\nThis is the next problem. Next Gen Endpoint solution providers used to pitch themselves as an addition to antivirus software, an extra layer, but the last few months the major players have started to pitch as an antivirus replacement. Budgets are tight in IT departments\u200a\u2014\u200awhy not be the primary supplier, rather than the one you can\u2019t afford, after all?<\/p>\n
\nNo longer receive any Microsoft security updates.
\nNot be able to detect Meltdown exploit.
\nHave to manually frig a registry entry or deploy a .exe to set a registry key to get updates working again.
\nThat isn\u2019t optimal.<\/p>\n
\nPlease stop using goofy, undocumented and hacky ways to predict memory locations and mess with syscalls. There\u2019s 5 key vendors doing this (and lots of OEM vendors licensing engines): please tidy up the code.<\/p>\n
\nIf you\u2019re selling yourself as an antivirus replacement, and you\u2019re in the Microsoft MAPP programme, you need to be able to live as an antivirus vendor.<\/p>\n
\nThe compatibility registry key exists for a reason. I know. I can also see it\u2019s a messy hacky fix. But it needs an end of life date\u200a\u2014\u200athis is going to decrease security for everybody in the long term, as trust me, antivirus will be broken on some PCs in some Enterprises and homes, and so they won\u2019t be getting security updates. In short, the registry key check is going to need to have a drop dead date set (and, yes, antivirus vendors doing silly things to bypass KPP are going to have to take the heat).<\/p>\n
\nreg add \u201cHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management\u201d \/v FeatureSettingsOverride \/t REG_DWORD \/d 0 \/f
\nreg add \u201cHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management\u201d \/v FeatureSettingsOverrideMask \/t REG_DWORD \/d 3 \/f
\nreg add \u201cHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Virtualization\u201d \/v MinVmVersionForCpuBasedMitigations \/t REG_SZ \/d \u201c1.0\u201d \/f
\nIf this is a Hyper-V host: fully shutdown all Virtual Machines.
\nRestart the server for changes to take effect.
\nSo yes, unless you actually add those keys the patches don\u2019t actually enable the CPU mitigations.<\/p>\n