Microsoft has updated its support notice to say that Windows computers will not receive any security updates at all until their AV software is certified compatible with the Spectre and Meltdown patches.
Windows PCs running anti-virus software that is incompatible with the recent Meltdown and Spectre patches will no longer receive any security updates, Microsoft has warned.
Spectre and Meltdown are design flaws in modern processors that could allow hackers to bypass system protections on a wide range of devices, allowing attackers to read sensitive information, such as passwords, from memory.
Microsoft has rolled out a series of patches for the flaws since January 3rd, but last week said these patches would not be pushed to computers running incompatible third-party AV.
SEE: Incident response policy (Tech Pro Research)
Now Microsoft has updated its support notice to say that Windows computers will not receive any security updates at all until their AV software is certified compatible with the Spectre and Meltdown patches. Windows systems will not be certified as compatible until the AV vendor sets a specific key in the Windows registry.
“Customers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities unless their antivirus software vendor sets the following registry key,” says Microsoft.
Security researcher Kevin Beaumont has put together a list of antivirus products that are compatible with Microsoft’s Spectre and Meltdown updates, and which have set the Windows registry key.
Compatible anti-virus products include those from Avast, AVG, Avira, Bitdefender, ESET, F-Secure, Kaspersky, Malwarebytes, Sophos, and Symantec. Systems running McAfee, TrendMicro, and Webroot software are also expected to be eligible to receive the updates soon.
Various other security providers, including CrowdStrike, Cylance, FireEye and Palo Alto Networks, have not yet set the registry key, but claim their products are compatible.
Beaumont says that companies whose AV products are designed to be used alongside other security software say they are loathe to set the key, in case other software on the system clashes with the fix.
System admins can manually set the registry key, however, Microsoft warns that doing so may cause serious problems that “require you to reinstall your operating system”. To manually update the registry, follow this guide.