Windows Meltdown-Spectre patches: If you haven't got them, blame your antivirus

Microsoft says your antivirus software could stop you from receiving the emergency patches issued for Windows.
Written by Liam Tung, Contributing Writer

Video: How focusing on data security can help your business

Microsoft has warned users that its patches for the dangerous Meltdown CPU bug won't reach them if their third-party antivirus hasn't been updated to support this week's Windows security update.

By now Windows users should have received the patches Microsoft released yesterday to plug the widespread Meltdown bug and its companion Spectre, which expose most computers and phones to speculative execution side-channel attacks that affect chips from Intel, AMD, and Arm.

Microsoft released software updates for Internet Explorer, Microsoft Edge, Windows, and SQL Server, but customers will also need to apply firmware updates from their respective hardware vendors too.

Surface and Surface Book users can expect an automatic firmware update from Microsoft but those with other hardware will need to check with their vendors.

The flaws allow an attacker to use malware in user mode to reveal the contents of kernel memory, which should not normally be allowed and could result in the leakage of sensitive information, such as passwords.

But if you're a Windows user and haven't received Microsoft's patches yet, Microsoft warns that the reason is your antivirus isn't compatible with its Windows update.


Windows users should have received Microsoft's patches to plug the widespread Meltdown and Spectre CPU flaws.

Image: Taylor Martin/CNET

Microsoft's testing revealed a "small number" of antivirus programs are making unsupported calls into Windows kernel memory, which result in blue screen of death (BSOD) errors.

To avoid causing widespread BSOD problems Microsoft opted to only push its January 3 security updates to devices running antivirus from firms that have confirmed their software is compatible.

Download now: Intrusion detection policy (Tech Pro Research)

"If you have not been offered the security update, you may be running incompatible antivirus software and you should follow up with your software vendor," the company explains.

"Microsoft has been working closely with antivirus software partners to ensure all customers receive the January Windows security updates as soon as possible."

Windows 10's built-in Windows Defender and Windows 7's free but not built-in Microsoft Security Essentials are compatible with the update, according to Microsoft.

Unless the antivirus vendor has set a Windows registry key that provides compatibility with the update, users of the affected Windows platform will not be protected by the security updates.

Microsoft also cautions that besides Windows 7, Windows Server 2008 R2, and Windows 2012 do not have antivirus installed by default. Customers with these platforms can install Microsoft Security Essentials.

Microsoft also confirmed that its testing showed the mitigations did produce "some performance impact", adding it would not be noticeable to most users. However, it noted that specific impact will vary by the age of the hardware and implementation by the chip vendor.

Linux kernel creator Linus Torvalds said mitigations would have at least a five percent hit on performance, but that actual impact would depend on the workload.

Microsoft yesterday released the Meltdown and Spectre fixes as part of cumulative update for the Windows 10 Fall Creators Update, labelled KB4056892, which brings the OS Build up to 16299.192.

Previous and related coverage

Critical flaws revealed to affect most Intel chips since 1995

Most Intel processors and some ARM chips are confirmed to be vulnerable, putting billions of devices at risk of attacks. One of the security researchers said the bugs are "going to haunt us for years."

Google reveals trio of speculative execution flaws, says AMD affected

CPUs can leak data when unwinding unused speculative execution paths.

Major Linux redesign in the works to deal with Intel security flaw

A serious security memory problem in all Intel chips has led to Linux's developers resetting how to deal with memory. The result will be a more secure, but -- as Linux creator Linus Torvalds says -- slower operating system.

Intel chips have critical design flaw, and fixing it will slow Linux, Mac, and Windows systems

The faulty design has been present in chips for years and it will force a redesign of the Linux and Windows kernels.

Read more on Microsoft security

Editorial standards