This month’s pile of Microsoft patches includes some that help to mitigate the recently-discovered Spectre and Meltdown vulnerabilities in Windows 7 and 8. Windows 10 machines received these updates last week, as soon as they were made available by Microsoft, because of course there’s no way to stop that from happening. Unfortunately for folks running some older AMD processors, the Spectre/Meltdown updates are causing Windows to crash, and Microsoft has now disabled those updates for affected computers.
It gets worse. Many antivirus products use sketchy techniques for blocking, detecting, and removing malware. Some of those activities are incompatible with this month’s Spectre/Meltdown updates for Windows. Microsoft is currently blocking those updates on computers that are missing a special registry setting: the idea is that anti-malware software will set this flag to indicate that the updates are compatible, and safe to install. On my Windows 8.1 computer, Windows Update initially did not show this month’s security-only (KB4056898) or security rollup (KB4056895) updates. That’s because (gasp) I wasn’t running any anti-malware software. To get the update, I re-enabled Windows Defender, which created the missing registry entry, and re-ran Windows Update.
There’s also a special security advisory in this month’s updates, in which Microsoft lays out the Spectre/Meltdown issue, its effect on Microsoft software, and ways to mitigate the associated vulnerabilities.
Back to our regularly-scheduled Patch Tuesday…
The January 2018 update announcement as usual contains zero useful information, serving only as a pointer to the Security Update Guide. Analysis of this month’s guide data shows that there are seventy-two updates, addressing fifty-six vulnerabilities in .NET, Internet Explorer, Edge, Office, Windows, Flash Player, Sharepoint, and SQL Server.