Last week, Microsoft issued January’s cumulative security fixes for January 2018. Although the media focus has been around “Meltdown” and “Spectre” CPU fixes, these patches also include a range of important security fixes — including patches to SMB server.

These updates came with many caveats, and the Microsoft knowledge base articles have had extensive edits since publishing. There’s some really important things you should know before trying to apply the patches.

The main thing to know is the January patches, and currently all future security patches, will not install unless antivirus vendors take action — and some don’t want to or feel they cannot.

Microsoft require your Anti-Virus provider to certify compatibility

There is a problem where some anti-virus vendors are using techniques to bypass Kernel Patch Protection by injecting a hypervisor which they use to intercept syscalls and make assumptions about memory locations — memory locations which are now changing with the Meltdown fixes.

To be honest, some of the techniques are similar to ones used by rootkits — Kernel Patch Protection was introduced by Microsoft a decade ago to combat rootkits, in fact. Because some anti-virus vendors are using very questionable techniques they end up cause systems to ‘blue screen of death’ — aka get into reboot loops. This shouldn’t be possible in the latest operating systems, but some anti-virus vendors have managed it by taking themselves into the hypervisor — or “hardware assisted” as you’ll sometimes read in marketing material. Anti-Virus makers really shouldn’t be messing with systems like this.

In order to combat this Microsoft have requested Anti-Virus vendors to add a registry key every time they startup, to certify their product is working with the CPU fixes:

https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software

You’ll find this bit very important:

“Customers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities unless their antivirus software vendor sets the following registry key”

Until Anti-Virus makers add this registry key, you don’t get any security fixes.

Please note not only does this impact Windows Update, it also impacts Windows Server Update Services (WSUS) and System Center Configuration Manager (SCCM).

To remind you, if you don’t get this right — for example, your antivirus provider fails to set the key, your antivirus license has expired or antivirus is just broken on a PC, no more security updates will work and you “will not be protected from security vulnerabilities” in the words of Microsoft.

To make matters worse, in WSUS and SCCM, PCs and servers show the patches as Not Applicable/Not Required, making it look like systems are fully patched. They aren’t.

Tracking Anti-Virus vendors who have added the registry key

I have made a spreadsheet to track vendors who have complied, or not, with the instructions from Microsoft:

You should look for vendors who are “Y, Y” — this means their products support the January 2018 security patch, and set the compatibility registry key.

In the case of some antivirus vendors, it has been a bumpy road. E.g. with Symantec Endpoint Protection, although engine updates now exist, Symantec recommend you don’t apply the Microsoft fixes at the time of writing: