SNAFU Some AV Tools Cause BSODs And Boot Failures After Meltdown Patches

DOH.pngMicrosoft's patch to protect Windows computers from the Meltdown / Spectre "hardware bug" revealed the rootkit-like nature of many antivirus tools.

Some AV products are incompatible with Redmond's Meltdown patch because, according to Microsoft, “ the products make unsupported calls into Windows kernel memory.” The result? the dreaded BSOD.

Worse, in extreme cases, machines fail to boot up when AV clashes with the patch. Apparently, some AV tools drill deep into the kernel's internals in order to keep tabs on the system and detect the presence of malware.

Here's why that is a problem. The Meltdown patch moves the kernel into its own private virtual memory address space. Normally, the OS maps the kernel into the top region of every user process's virtual memory space and marks it "invisible".

The design flaw in Intel's chips allow kernel memory can still be read by apps. Obviously this is a security hole you can drive a truck through because programs can siphon off passwords and other secrets held in normally protected kernel memory.

Here Is How The Patch Will Not Be Applied

Redmond asked AV vendors to test if their code is compatible with the patch, and set a specific Windows registry key to confirm all is well. Only when the key is set will the operating system allow the Meltdown workaround to be installed and activated. Therefore, if an antivirus tool does not set the key, or the user does not set the key manually for some reason, the security fix is not applied.

As a matter of fact, until this registry key is set, you will not be able to apply any Windows security updates – not just this month's patches, but any of them in future. Yikes.

Remember how the WannaCry spread like wildfire across unpatched Win7 systems during May 2017? This raises the spectre of millions of machines not being updated and become the victim of the next North Korean malware epidemic.

Redmond states it is working with AV software vendors to resolve the issue. This is not going to be easy, because AV tools that make kernel calls can rely on this 100% to be able to function. Some developers are cooperating, others are throwing a fit because their product has basically stopped working and needs serious redesign.

InfoSec researcher Kevin Beaumont has posted here about the technical background and this is a must-read!

“Microsoft is caught between a rock and a hard place on this one,”

“Microsoft is caught between a rock and a hard place on this one,” Cluley wrote in a blog post. “The last thing they want to do is roll out an update that causes computers to crash. It's a painful decision, but if they can determine which computers don't appear to be running a ‘safe’ anti-virus program then they're probably right not to push out security updates to that PC.

Beaumont said: "This has been incredibly messy for everybody involved. My belief is organizations shouldn’t rush these patches out. They need to carefully test and see where they need to mitigate the vulnerability." 

I agree, but all this can leave many of your workstations open to immediate compromise, and allow bad guys using a simple phishing attack to go lateral in your network. I strongly recommend to roll out an immediate security awareness training campaign to all your users because of the current exposure.

Free Phishing Security Test

Did you know that 91% of successful data breaches started with a spear-phishing attack?

Cyber-attacks are rapidly getting more sophisticated. We help you step your employees throuigh new-school security awareness training to better manage the urgent IT security problems of social engineering, spear-phishing and ransomware attacks. Take the first step now. Find out what percentage of your employees are Phish-prone with our free test. 

Get Your Free PST Now

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Topics: Phishing, Antivirus

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews