Is your meltdown fix working?

So by now you have patched everything you own because you read about meltdown and spectre. You are exhausted, but feel pretty good about yourself. After all, some of those beasties had a lot of uptime and other stuff happened when you rebooted them.

But is it really working? Well, it turns out, your Anti-Virus might be disabling the fix.

First an op-ed note. We are past Anti-Virus. If you think that is doing you any good, well, its not. Don’t believe me? Next time you get some spammy email with an attachment (word/zip/pdf, whatever), submit it to¬† I guarantee that attachment is a virus. I guarantee that few of the Anti-Virus tools will catch it. So don’t feel more secure because you paid $19.99 @ BestBuy 4 years ago for something with a Norton sticker on the front.

OK, rant-off. It turns out that on Windows, many Anti-Virus products essentially act as a rootkit, injecting a hypervisor of sorts to intercept system calls. And, it turns out, these break Microsoft’s fix for meltdown. And to avoid a customer support nightmare, Microsoft’s fix will disable itself until the Anti-Virus is updated (and other Windows updates won’t occur either!). We’ve got folks like Symantec recommending to *not* patch for meltdown as a consequence.

There’s a set of registry keys (naturally) to:

  1. indicate if your Anti-Virus is up-to-date
  2. enable the fix
  3. disable the fix

You can see the details here. But, IMHO, the thing this creates, is a way for malware vendors to *disable* not only this fix, but future ones. Eg can you not see malware doing:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

Seems obvious now.

So, ask yourself, now that i’ve finished all the patching, do I (still) feel lucky?






Leave a Reply

Your email address will not be published. Required fields are marked *