Some major anti-virus software vendors were forced to reconfigure their programs after Microsoft rolled out a patch that changed their products’ processing architecture, industry experts tell CyberScoop.
In response to the “Spectre” and “Meltdown” vulnerabilities, which affect nearly every microchip created since 1995, Microsoft immediately offered a software patch that would prevent attackers from targeting these flaws.
Microsoft, much like the microchip makers, has known about the two vulnerabilities for months. However, the company had been one of many working on fixes under a strict embargo. During this timeframe, Microsoft worked on creating an adequate software update that could remediate the problems. Yet, due to the embargo, many cybersecurity companies were left in the dark; entirely unaware that either Microsoft or the microchip industry was dealing with the issue.
This lapse in coordination is currently causing headaches for security companies.
Microsoft’s emergency update causes the operating system to change how it processes data at the kernel level. Processes at this level can only occur when a program is given high-privileges. Most anti-virus engines run at the kernel level because the software inherently requires wide access to the system, allowing for the program to scan files, discover malware and occasionally delete certain malicious computer code when appropriate.
Microsoft’s update force some computers running anti-virus software to spontaneously crash because the security programs aren’t compatible with the fixed system. In this scenario, a fatal system error prompt in blue text, better known as the “blue screen of death,” will appear on the computer screen. The screen renders the computer unusable until reboot.
Kevin Beaumont, an independent security researcher, has been tracking which anti-virus programs have already adapted to Microsoft’s update. Per his list, some popular anti-virus vendors, including Carbon Black and BitDefender, remain incompatible.
Microsoft’s solution to the blue screen problem involves a custom registry key between the the Redmond-Wash. company and each anti-virus vendor. In practice, if a computer is running an anti-virus product that doesn’t have a registry key approved by Microsoft, then the Windows simply patch won’t be applied.
The idea is to avoid having the Microsoft update disable available protection, but it also means the end user is left vulnerable to Spectre or Meltdown in the short-term.
Once an anti-virus company makes the changes, they can add a registry key which Microsoft will validate. With a registry key in place, Microsoft’s update will be applied regularly.
CyberScoop reached out to several anti-virus vendors for comment and will update this story with more information as it becomes available.