The hastily released Jan. 4 Windows Meltdown/Spectre patches left many AMD computer owners in a bind. Complaints started flowing in shortly after the release, with blue screen errors 0x000000C4 and 0x800F0845, and machines that stubbornly refused to start, even after undergoing normal resuscitation. Windows PCs with AMD processors got dinged, but there are also reports of Intel machines with AMD video cards malfunctioning.
Early this morning, Jan. 9, Microsoft finally acknowledged the bugs and pulled the patches for “some AMD devices.” But there are significant lingering problems, beyond the AMD bricking, that Microsoft hasn’t addressed.
Microsoft’s mea culpa, contained in KB 4073707, blames AMD:
Microsoft has determined that some AMD chipsets do not conform to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown.
Let the finger-pointing begin … but you have to wonder who tested the patches.
What’s been yanked
As of this morning, Microsoft has pulled the following patches “to devices with impacted AMD processors”:
- Win10 1709 KB 4056892 Build 16299.192
- Win10 1709 for ARM KB 4056892 the mysterious patch listed in the Update Catalog
- Win10 1703 KB 4056891 Build 15063.850
- Win10 1607 and Server 2016 KB 4056890 Build 14393.2007
- Win10 1511 KB 4056888 Build 10586.1356, the patch that’s only available on Enterprise and Education editions
- Win10 1507 LTSC KB 4056893, Build 10240.17738
- Win8.1 and Server 2012 R2 KB 4056895 2018-01 Monthly Rollup
- Win8.1 and Server 2012 R2 KB 4056898 2018-01 security-only patch
- Win7 and Server 2008 R2 KB 4056894 2018-01 Monthly Rollup
- Win7 and Server 2008 R2 KB 4056897 2018-01 security-only patch
Each of the related KB articles has been altered to include the warning:
Microsoft has reports of some customers with AMD devices getting into an unbootable state after installing this KB. To prevent this issue, Microsoft will temporarily pause Windows OS updates to devices with impacted AMD processors at this time.
Microsoft is working with AMD to resolve this issue and resume Windows OS security updates to the affected AMD devices via Windows Update and WSUS as soon as possible. If you have experienced an unbootable state or for more information see KB4073707. For AMD specific information please contact AMD.
It isn’t clear, at least to me, whether the AMD embargo includes Intel PCs with AMD video cards.
The KB article includes links to the old — and frequently ineffective — standard methods for dealing with blue screens in Win10, Win8.1 and Win7.
The not-so-subtle subtext: AMD screwed up and Microsoft ain’t the bad guy.
The lingering problem
There’s another problem on the horizon. During testing, Microsoft encountered many blue screens associated with specific antivirus programs. In order to guard against those blue screens, Microsoft established a registry key that must be set by an antivirus program before the Meltdown/Spectre patch will be applied. I talked about the machinations last week.
In a nutshell, you have to update your antivirus program — the right antivirus program — to a very recent version so it’ll establish the registry key, allowing the Meltdown/Spectre patch to go ahead. No registry key, no patch
There’s a long litany of non-compliant antivirus software on Kevin Beaumont’s masterful master list of antivirus patch compatibility. As of early this morning, nearly two dozen antivirus manufacturers don’t set the key, including big names like F-PROT, FireEye Endpoint Security, McAfee and Trend Micro.
If you think about that for more than 30 seconds, it should be obvious that there’s a fatal flaw. Several. Ignore, for the moment, the gargantuan task of ensuring that a large enterprise has all of its antivirus software (possibly from multiple manufacturers) up to date. Instead, think about the people who can’t get their antivirus software updated for whatever reason — compatibility, or they haven’t paid the piper. Then think about those who don’t run antivirus software, or at least antivirus software that complies with Microsoft’s registry requirement. And what about those who install or uninstall new, different or even multiple antivirus scanners?
Since all of Microsoft’s patches now are cumulative (except the Win7 and 8.1 security-only manually downloaded patches), that means those who don’t pay for their antivirus product, or otherwise get thrown under the antivirus bus, won’t get any more Windows patches. Ever.
And most will never know why.