SectionGuard and KB4056891 (Meltdown patch)

As you might have noticed, two major security related problems, affecting CPUs have become public knowledge during the last 48 hours: Spectre and Meltdown.

These problems are partially solvable, by patching your systems. Everyone is basically scrambling to get patches for Meltdown in place, and Microsoft has just released an urgent patch for this.

This patch has shown problems with several antivirus vendors, as their kernel drivers cause BSODs after the patch is installed. As a result of this, Microsoft is only pushing the update to customers with antivirus that specifically sets a certain registry key, and thus takes responsibility for applying the patch.

SectionGuard does not have this driver problem, and is not affected by the patch.

To get the patch:

  • If you’re not running a 3rd party AV product which sets the key, you need to set a registry key manually
  • If you’re running a 3rd party AV product which sets the key, you need to upgrade your AV and the updated AV will set the key

But as SectionGuard is not a traditional antivirus product, and can co-exist with or without an antivirus product, we’ve decided not to set the above mentioned registry key. The dilemma here is, that we might break your incompatible 3rd party antivirus product.

The Microsoft patch page for KB4056891 describes the registry settings needed, should you chose to implement these manually.

Then you need to do a regular Windows Update, and the patch will be applied.

For a comprehensive list of AV vendor support and registry key info, you can look at the spreadsheet by Kevin Beaumont on Google Sheets

If you want to know more details on the exploits in the CPUs, there’s an excellent explanation about the security implications on The Register

All you need to know about the DDEAuto exploit

You should be worried about the DDEAuto exploit, but more so about what’s coming next

One of the many ways hackers try to get their malware onto your computers, is by sending emails containing documents with macros. Most savvy users have enough knowledge by now to not activate macros in foreign documents.

But recently, hackers have begun using the Dynamic Data Exchange (also known as DDE) feature, exploiting it to run commands on your computer. Originally, DDE is used to exchange data between different Microsoft programs, but attackers have now found a way of abusing it by adding a custom field inside a document, instructing it to launch malicious code.

The problem exists in all of your Microsoft Office applications. That’s Word, Excel, Access but also inside an email you’re reading, or a calendar invite.

On the good side, users are currently receiving a warning which informs them of the given file containing DDE links, which may direct to different documents. But the warning is new to most users, possibly tricking them into pressing “Yes” instead of “No”.

Since the DDE feature is not considered suspicious, traditional anti-virus doesn’t block files with DDE fields. Like macros, the feature can be both good and bad, depending on who crafted the document.

Should you say “Yes” to the above, you get another warning:

Another “Yes” will possibly land you in a world of trouble. (Above screenshot is of a benign calc.exe test command-line, so that’s just “popping calc”). Threats in the wild are already obfuscating the command-line to make it look innocent.

What should you do?

Basically, just say no.

But to mitigate this exploit entirely, you can disable the DDEAuto feature completely. There’s a good chance you never need it.

If you want to do this automatically, there’s a .reg file on GitHub that fixes this for several versions of Microsoft Office:

Always remember

  • Consider external files or links sent to you carefully
  • Take warning pop-ups seriously, even though they are new to you

But the worst problem still remains …

Albeit the current warning window raises the red flag, what if in the future attackers don’t even need that confirmation in the form of simple “Yes” or “No”? That is the real nightmare threat.

And this is exactly why we created SectionGuard.