In the evident issue of the Spectre and Meltdown attacks, Microsoft combined an surprising chapter for Windows patches: systems would only accept the fixes if they had antivirus program commissioned and if that antivirus program combined a special entrance in the registry to prove that it’s concordant with the Windows fixes.
This was due to the quite invasive inlet of the Meltdown fix: Microsoft found that certain antivirus products manipulated Windows’ heart memory in unsupported ways that would pile-up systems with the Meltdown fix applied. The registry entrance was a way for antivirus program to definitely attest that it was concordant with the Meltdown fix; if that entrance was absent, Windows insincere that exclusive antivirus program was commissioned and hence did not request the confidence fix.
This put systems but any antivirus program at all in a bizarre position: they too miss the registry entries, so they’d be upheld over for fixes, even nonetheless they don’t, in fact, have any exclusive antivirus software.
With the rags expelled today, Microsoft has reverted that policy, at slightest on Windows 10; the telemetry information collected by Windows indicates that exclusive antivirus program is amply singular as to be a non-issue, so there’s no indicate in restraint anything.
Windows 10 includes a concordant antivirus focus as a built-in partial of Windows, so there’s little forgive to ever be using an exclusive product or no antivirus insurance at all. Windows 8.1 further includes concordant insurance as partial of the handling system. Windows 7—which apparently still includes the restriction—is the big adhering point, as it has no built-in antivirus insurance of its own, definition that users must install something to accept fixes.
Microsoft has also updated the microcode package that contains processor-level updates for Intel and AMD processors to help lessen some of the Spectre attacks. This microcode package must still be downloaded and commissioned manually, and it isn’t (yet) being distributed by Windows Update. But the package provides an critical choice for those who miss a motherboard firmware containing the new microcode.
The tangible rags currently embody one fix in sold that looks important. A cryptographic smirch has been found in CredSSP (Credential Security Support Provider), Microsoft’s custom that provides authentication for both remote desktop (RDP) connectors and Windows Remote Management (WinRM) connections. With this flaw, a man-in-the-middle can steal authentication information and use it to govern commands remotely. While it’s not generally recommended, people mostly use RDP connectors opposite uncertain links to yield secure entrance to remote systems. This isn’t the first smirch to describe that use ill-advised, but it still happens regardless.
Today’s patch addresses the cryptographic issue but is difficult since both clients and servers need to update, and to be secure, servers need to reject authentication attempts from prehistoric clients. Accordingly, there are pattern options to control either or not a server will let an prehistoric client connect, and administrators will likely wish to double-check the settings themselves before deploying.