Patch Tuesday drops the mandatory antivirus requirement after all


amalthya / Flickr

In the unhesitating aftermath of the Spectre and Meltdown attacks, Microsoft created an unusual animate for Windows patches: systems would only receive the fixes if they had antivirus software fitted and if that antivirus software created a special entry in the registry to manifest that it’s compatible with the Windows fixes.

This was due to the particularly invasive wildness of the Meltdown fix: Microsoft found that certain antivirus products controlled Windows’ kernel memory in unsupported ways that would force systems with the Meltdown fix applied. The registry entry was a way for antivirus software to undeniably affirm that it was compatible with the Meltdown fix; if that entry was gone, Windows assumed that incompatible antivirus software was installed and in the future did not apply the security fix.

This put systems without any antivirus software at all in a uncanny position: they too lack the registry entries, so they’d be passed exceeding for fixes, even though they don’t, in fact, have any incompatible antivirus software.

With the doctors released today, Microsoft has reverted that policy, at least on Windows 10; the telemetry materials collected by Windows indicates that incompatible antivirus software is sufficiently rare as to be a non-issue, so there’s no time in blocking anything.

Windows 10 includes a compatible antivirus relevance as a built-in part of Windows, so there’s little excuse to ever be buying an incompatible product or no antivirus protection at all. Windows 8.1 likewise groups compatible protection as part of the operating system. Windows 7—which plainly still includes the restriction—is the big sticking point, as it has no built-in antivirus safe keeping of its own, meaning that users must install something to receive connects.

Microsoft has also updated the microcode package that contains processor-level updates for Intel and AMD processors to lend a hand mitigate some of the Spectre attacks. This microcode package sine qua non still be downloaded and installed manually, and it isn’t (yet) being distributed by Windows Update. But the package deal provides an important alternative for those who lack a motherboard firmware confining the new microcode.

The actual patches today include one fix in particular that looks weighty. A cryptographic flaw has been found in CredSSP (Credential Security Maintain Provider), Microsoft’s protocol that provides authentication for both inappropriate desktop (RDP) connections and Windows Remote Management (WinRM) connections. With this harm, a man-in-the-middle can steal authentication data and use it to execute commands remotely. While it’s not customarily recommended, people often use RDP connections across insecure links to produce secure access to remote systems. This isn’t the first flaw to tender melt that practice ill-advised, but it still happens regardless.

Today’s shred addresses the cryptographic issue but is complicated because both clients and servers miss to update, and to be secure, servers need to reject authentication attempts from out-of-date patients. Accordingly, there are configuration options to control whether or not a server inclination let an out-of-date client connect, and administrators will likely want to double-check the environments themselves before deploying.

Leave a Reply

Your email address will not be published. Required fields are marked *