Patch Tuesday drops the mandatory antivirus requirement after all

In the immediate aftermath of the Spectre and Meltdown attacks , Microsoft created an unusual stipulation for Windows patches: systems would only receive the fixes if they had antivirus software installed and if that antivirus software created a special entry in the registry to indicate that it's compatible with the Windows fixes.

This was due to the particularly invasive nature of the Meltdown fix: Microsoft found that certain antivirus products manipulated Windows' kernel memory in unsupported ways that would crash systems with the Meltdown fix applied. The registry entry was a way for antivirus software to positively affirm that it was compatible with the Meltdown fix; if that entry was absent, Windows assumed that incompatible antivirus software was installed and hence did not apply the security fix.

This put systems without any antivirus software at all in a strange position: they too lack the registry entries, so they'd be passed over for fixes, even though they don't, in fact, have any incompatible antivirus software.

With the patches released today, Microsoft has reverted that policy , at least on Windows 10; the telemetry data collected by Windows indicates that incompatible antivirus software is sufficiently rare as to be a non-issue, so there's no point in blocking anything.

Windows 10 includes a compatible antivirus application as a built-in part of Windows, so there's little excuse to ever be using an incompatible product or no antivirus protection at all. Windows 8.1 likewise includes compatible protection as part of the operating system. Windows 7—which apparently still includes the restriction—is the big sticking point, as it has no built-in antivirus protection of its own, meaning that users must install something to receive fixes.

Microsoft has also updated themicrocode package that contains processor-level updates for Intel and AMD processors to help mitigate some of the Spectre attacks. This microcode package must still be downloaded and installed manually, and it isn't (yet) being distributed by Windows Update. But the package provides an important alternative for those who lack a motherboard firmware containing the new microcode.

The actual patches today include one fix in particular that looks important. A cryptographic flaw has been found in CredSSP (Credential Security Support Provider), Microsoft's protocol that provides authentication for both remote desktop (RDP) connections and Windows Remote Management (WinRM) connections. With this flaw, a man-in-the-middle can steal authentication data and use it to execute commands remotely. While it's not generally recommended, people often use RDP connections across insecure links to provide secure access to remote systems. This isn't the first flaw to render that practice ill-advised, but it still happens regardless.

Today's patch addresses the cryptographic issue but is complicated because both clients and servers need to update, and to be secure, servers need to reject authentication attempts from out-of-date clients. Accordingly, there are configuration options to control whether or not a server will let an out-of-date client connect, and administrators will likely want to double-check the settings themselves before deploying.

关键词:Windows 微软

相关推荐:

Microsoft Fixes Black Screen Bug in Windows 10 April 2018 Update

What you need to know about Speculative Store Bypass, the Spectre-like 'Variant 4' CPU flaw

Windows 10 preview toughens up security with stronger vetting of antivirus apps

AMD rolls out CPU firmware and Windows 10 patches to protect against Spectre exploits

Microsoft removes AV compatibility requirements for Windows 10 security updates

Microsoft lifts update embargo on Windows 10

Microsoft Blocks All Windows 7 Security Updates Unless You Have Antivirus

Microsoft rolls out Meltdown and Spectre fixes for Windows 7 and 8.1

No new security updates for Windows 7 users without up-to-date antivirus

Microsoft releases Windows 10 builds 16299.309, 15063.966 - here's what's new