Microsoft says your antivirus software could stop you from receiving the emergency patches issued for Windows
Windows users should have received Microsoft’s patches to plug the widespread Meltdown and Spectre CPU flaws. Image: Taylor Martin/CNET
Microsoft has warned users that its patches for the dangerous Meltdown CPU bug won’t reach them if their third-party antivirus hasn’t been updated to support this week’s Windows security update.
By now Windows users should have received the patches Microsoft released yesterday to plug the widespread Meltdown bug and its companion Spectre, which expose most computers and phones to speculative execution side-channel attacks that affect chips from Intel, AMD, and Arm.
Microsoft released software updates for Internet Explorer, Microsoft Edge, Windows, and SQL Server, but customers will also need to apply firmware updates from their respective hardware vendors too.
Surface and Surface Book users can expect an automatic firmware update from Microsoft but those with other hardware will need to check with their vendors.
The flaws allow an attacker to use malware in user mode to reveal the contents of kernel memory, which should not normally be allowed and could result in the leakage of sensitive information, such as passwords.
But if you’re a Windows user and haven’t received Microsoft’s patches yet, Microsoft warns that the reason is your antivirus isn’t compatible with its Windows update.
Microsoft’s testing revealed a “small number” of antivirus programs are making unsupported calls into Windows kernel memory, which result in blue screen of death (BSOD) errors.
To avoid causing widespread BSOD problems Microsoft opted to only push its January 3 security updates to devices running antivirus from firms that have confirmed their software is compatible.
“If you have not been offered the security update, you may be running incompatible antivirus software and you should follow up with your software vendor,” the company explains.
“Microsoft has been working closely with antivirus software partners to ensure all customers receive the January Windows security updates as soon as possible.”
Windows 10’s built-in Windows Defender and Windows 7’s free but not built-in Microsoft Security Essentials are compatible with the update, according to Microsoft.
Unless the antivirus vendor has set a Windows registry key that provides compatibility with the update, users of the affected Windows platform will not be protected by the security updates.
Microsoft also cautions that besides Windows 7, Windows Server 2008 R2, and Windows 2012 do not have antivirus installed by default. Customers with these platforms can install Microsoft Security Essentials.
Microsoft also confirmed that its testing showed the mitigations did produce “some performance impact”, adding it would not be noticeable to most users. However, it noted that specific impact will vary by the age of the hardware and implementation by the chip vendor.
Linux kernel creator Linus Torvalds said mitigations would have at least a five percent hit on performance, but that actual impact would depend on the workload.
Microsoft yesterday released the Meltdown and Spectre fixes as part of cumulative update for the Windows 10 Fall Creators Update, labelled KB4056892, which brings the OS Build up to 16299.192.