The race is on to patch machines against the Meltdown and Spectre CPU vulnerabilities, which affect nearly all operating systems and devices – but many organizations are lagging because Microsoft will not deliver a Windows update unless a certain registry key exists, in order to avoid serious incompatibility issues with antivirus software.
“Microsoft has acknowledged the update has incompatibility issues with third-party AV software and AMD processors, and has restricted delivery of the update accordingly,” explained Barkly researcher Jonathan Crowe, in a blog on the subject. “Specifically, it has made delivery of the Windows security updates contingent on the presence of a special registry key, which it has instructed all AV vendors to add to customer devices only after they've confirmed their products are compatible and won't cause system crashes.”
This is having real consequences: A Barkly survey of IT and security pros responsible for managing security updates at their organizations found that at half of the organizations, less than 25% of machines have received the update.
Further, 26% of respondents say they don't have any machines that have received the update, a week after it was first made available.
However, the onus to communicate the issue has been placed on the AV providers, which have done varying degrees of outreach on the issue: Only 42% of respondents in the survey said their AV vendor notified them regarding their product's compatibility with the patch.
Further, a third of IT pros that Barkly surveyed weren't fully aware of AV incompatibility issues, and nearly half (46%) weren't fully aware that Microsoft is requiring them or their AV vendor to create a registry key.
“This has created a lot of confusion, especially since the response from AV vendors has varied, with some setting the registry key for their customers and others recommending users set it themselves, manually,” Crowe said. “The situation only gets more complicated considering many organizations have more than one AV solution installed.”
Nevertheless, 64% say they were able to determine their AV was compatible – and just 6% reported experiencing system crashes due to the update.
In terms of setting the registry key, 25% of respondents say their AV vendor added it for them, while 20% say their AV vendor recommended that they add it themselves, manually. Of those respondents who were advised to add the registry key manually, roughly 50% say they have already done so, though 59% expressed at least some concern the action might cause issues.
“In addition to creating confusion, these issues have made it frustratingly difficult for organizations to confirm whether or not their machines are in fact up to date with the latest protection from Meltdown and Spectre,” Crowe said. “Eighty percent of respondents say the update process hasn't been entirely clear, overall, and that lack of clarity is leaving many with questions and concerns. Two-thirds have expressed concern that this issue isn't fully under control.”