back to article Microsoft says it won't fix kernel flaw: It's not a security issue. Suuuure

A design flaw within the Windows kernel that could stop antivirus software from recognizing malware isn't going to be fixed, Microsoft has said. The issue, spotted this week by enSilo security researcher Omri Misgav, lies within the system call PsSetLoadImageNotifyRoutine, which has been part of Microsoft's operating system …

  1. Anonymous Coward
    Anonymous Coward

    Facepalm! Windows 10 1607 Aniversary Update "Defer Updates" setting is back to front.

    Here's another major flaw too.

    Could it be someone at Microsoft got their wording/digital states: 1 and 0 (true and false) mixed up? Seems so.

    For those people running Windows 10 1607 AU wondering why they haven't been offered Windows 10 1703 Creators Update, it turns out:

    Windows Settings->Update and security->Advanced Options->Defer Feature updates

    This toggle switch appears to be operating back to front. (This might sound odd that no one has noticed this before, but it does appear to be the case)

    (Check first that on your system the toggle is off (i.e. no tick in the box), the system is set "not to defer updates")

    Select 'Defer Feature updates' (i.e place a tick in the box) then go back and check for updates, it then finds the update. (The switch operation seems to be the wrong way round).

    If you break the 1703 update process (to test) i.e. don't complete the update at this point (you'll get a failed update in your update history though), then toggle the switch off again (i.e. remove the tick in the box to 'Defer Feature updates'), when you check for updates again the 1703 update option disappears.

    Which seems to prove the switch is working opposite way to the way it should. Well done Microsoft.

    (Seems crazy to think a Company the size of Microsoft could make such a simple fundamental mistake, which has such massive consequences to the roll out of new versions of the Windows 10 OS, but these things happen).

    If this is the reason, there are so many not getting this update, that is highly embarrassing for MS, an 'egg on face' moment, especially given they've been quite coy regards the latest figures for number of active installs of Windows 10.

    MS are not going to get many 1703 upgrades in the interim before 1709, if they have all been 'deferred'. But maybe MS saw it as a way of dealing with complaints of 'upgrade overload', to give users/consumers a break.

    1. Anonymous Coward
      Anonymous Coward

      Re: Facepalm! Windows 10 1607 Aniversary Update "Defer Updates" setting is back to front.

      A last minute "hack" by MS to Delay feature updates? (Make "Defer Updates" the norm).

      Maybe done to appease AV vendors like Kaspersky?

    2. Alpc

      Re: Facepalm! Windows 10 1607 Aniversary Update "Defer Updates" setting is back to front.

      Have been wondering why my Surface Pro 4 has not got the Creators Update even if my aging HP laptop has. Will try this, see what happens and come back if it works (or doesn't).

      1. Len Goddard

        Re: Facepalm! Windows 10 1607 Aniversary Update "Defer Updates" setting is back to front.

        Damnit - that's why it wouldn't stop bugging me. I want to defer feature updates for a few months to let other people find all the problems for me.

        1. Rattus Rattus

          Re: Facepalm! Windows 10 1607 Aniversary Update "Defer Updates" setting is back to front.

          So I need to set "Defer" to "Off" to make Windows stop nagging me to install a pointless update that I really don't want?

    3. Alpc

      Re: Facepalm! Windows 10 1607 Aniversary Update "Defer Updates" setting is back to front.

      Can't believe this. Followed your instructions and Feature update to Windows 10, version 1703 has, finally, shown up! Will the install complete? Don't know yet. I'll be back!

    4. Alpc

      Re: Facepalm! Windows 10 1607 Aniversary Update "Defer Updates" setting is back to front.

      Hey thanks Adam - by deferring the feature update, I've finally managed to get my Surface Pro 4 running the 1703 update.

      Seems you may well be right. Microsoft does indeed appear to have messed up.

      Would love to know how many others are still stuck in the Win 10 1607 black (or maybe blue) hole because of this. Well, now there's a way for them to get Win 10 1703.

      PS ElReg, this could be a story for you.

      1. Anonymous Coward
        Anonymous Coward

        Re: Facepalm! Windows 10 1607 Aniversary Update "Defer Updates" setting is back to front.

        I couldn't believe they'd get something so fundamental wrong, but yes I deferred feature updates to get the feature update, and my machine upgraded.

        I have also found Office 365 much buggier than Office 2016.

        This must be a new strategy - alpha is now beta, and what was beta is now gold.

        1. Camilla Smythe

          I have also found Office 365 much buggier than Office 2016.

          No Shit Sherlock.

          What part of Office 365 having a lower version number than Office 2016 did you miss?

        2. Anonymous Coward
          Anonymous Coward

          Re: Facepalm! Windows 10 1607 Aniversary Update "Defer Updates" setting is back to front.

          Next Question...

          How many of those Privacy/Telemetry settings in Windows 10 1607 work back to front too?

          1. Anonymous Coward
            Boffin

            Re: Facepalm! Windows 10 1607 Aniversary Update "Defer Updates" setting is back to front.

            BOOLEAN EnableExtendedTelemetryGathering(BOOLEAN enable);

            Parameters

            enable - set to TRUE to enable extended telemetry gathering. Set to FALSE to not disable extended telemetry gathering.

            Return value

            The current extended telemetry gathering enabled setting. Always TRUE (enabled).

            Remarks

            Versions of Windows may elect to not honour the enable flag. To check whether extended telemetry information is being gathered from your machine and uploaded to Microsoft, we advise to check whether your machine is made by Apple and whether it is connected to the internet. If the results of this check is 'no' and 'yes', then all your data is belong to us.

          2. Kiwi
            Trollface

            Re: Facepalm! Windows 10 1607 Aniversary Update "Defer Updates" setting is back to front.

            How many of those Privacy/Telemetry settings in Windows 10 1607 work back to front too?

            FTFY

    5. EddieD
      Pint

      Re: Facepalm! Windows 10 1607 Aniversary Update "Defer Updates" setting is back to front.

      ------------------------------------------------------------------------------------->

      With thanks!

      (EDIT: I just had the bizarre thought that may that flip is how they're limiting the rollout of Creators, folk think that they're set to auto-update, but a hidden setting somewhere is reversing the logic)

  2. Version 1.0 Silver badge

    Design flaw?

    This sound more like a feature that No Such Agency might have requested.

    1. Destroy All Monsters Silver badge

      Re: Design flaw?

      It's Obi-Wan Feature

      "This is not the executable you are looking for"

  3. Joe Dietz

    To anybody that actually writes AV scanner code for a living, this isn't news and really isn't a problem and even if it was fixed wouldn't actually save anybody any work since released bugs/features still have to be worked around on back-rev platforms since folks aren't terribly bought into 'windows as a service' quite yet.

  4. jelabarre59

    Next release

    They really seriously promise to fix it in MSWin 11... Oh, wait...

  5. Anonymous Coward
    Anonymous Coward

    So since Microsoft are not concerned about the security of windows,

    does this mean that they will compensate anyone who has/will loose money because of this issue.

    Headline should read MS know about the issue but just don't care

    1. Anonymous Coward
      Anonymous Coward

      Re: So since Microsoft are not concerned about the security of windows,

      compensation?

      Are you smoking something very illegal?

      The very, very, very small print of the EULA clearly (sic) tells you that you can't sue MS for anything, anywhere or anytime.

      Don't you get it?

      MS thinks they are a GOD (other dieties exist). They are above the law (Billy C film excepting).

      1. JulieM Silver badge

        Re: So since Microsoft are not concerned about the security of windows,

        But the bigger print says "Your statutory rights are not affected". The EULA cannot take away any rights given to you by the Law of the Land; it can only give you permission above and beyond those rights. There's a good case to be made that this sort of security hole makes an operating system unfit for purpose, especially as it was "bought blind" without a full description (the Source Code).

        1. oldcoder

          Re: So since Microsoft are not concerned about the security of windows,

          They already covered the "unfit for purpose" in the warranty.

          There is no warranty that it is "fit for any purpose"....

          From the EULA:

          "The manufacturer or installer, and Microsoft, exclude all implied warranties and conditions, including those of merchantability, fitness for a particular purpose., and non-infringement. If your local law does not allow the exclusion of implied warranties, then any implied warranties, guarantees, or conditions last only during the term of the limited warranty and are limited as much as your local law allows. If your local law requires a longer limited warranty term, despite this agreement, then that longer term will apply, but you can recover only the remedies this agreement allows."

          So you get nothing more than what you paid for it...

          1. Zippy's Sausage Factory
            Devil

            Re: So since Microsoft are not concerned about the security of windows,

            There is no warranty that it is "fit for any purpose"....

            From the EULA:

            The key phrase is "limited as much as your local law allows". If that flaw is used in malware, someone's banking is compromised because of said malware, and money is stolen, then where would the responsibility be?

            Or let's try another example, shall we? What if said malware is used by Russian or Chinese hackers against the American security services? Do we think Microsoft might suddenly care about the flaw then?

          2. Anonymous Coward
            Anonymous Coward

            Re: So since Microsoft are not concerned about the security of windows,

            Which under UK law would be illegal. It must be 'fit for purpose' and trying to disclaim that may well be a criminal offence under the Fair Trade Act.

            1. Cynic_999

              Re: So since Microsoft are not concerned about the security of windows,

              "

              Which under UK law would be illegal. It must be 'fit for purpose' and trying to disclaim that may well be a criminal offence under the Fair Trade Act.

              "

              Sure, but does having a vulnerability for a very small subset of malware mean that it is "unfit for purpose"? And if so, is it the OS or the antivirus software that is "unfit"?

              Does the fact that your car is vulnerable to a determined saboteur (who could e.g. crawl underneath and cut your brake lines) make your car "unfit for purpose"?

              1. Kiwi
                Trollface

                Re: So since Microsoft are not concerned about the security of windows,

                Does the fact that your car is vulnerable to a determined saboteur (who could e.g. crawl underneath and cut your brake lines) make your car "unfit for purpose"?

                I think in this case it's not so much "crawl underneath" as "the brake lines are fully exposed, already in the jaws of the cutters, with a big 'please push' sign on the handle".

          3. Hans 1

            Re: So since Microsoft are not concerned about the security of windows,

            So you get nothing more than what you paid for it...

            And how much did you pay for Windows 10 ?

            1. Kiwi
              Holmes

              Re: So since Microsoft are not concerned about the security of windows,

              So you get nothing more than what you paid for it...

              And how much did you pay for Windows 10 ?

              Depnds. Fgor those who've lost productivity or data, it can be hundreds or thousands of dollars.

              For those unfortunates who've lost family photos and other stuff, the loss is priceless.

        2. Hans 1

          Re: So since Microsoft are not concerned about the security of windows,

          The EULA cannot take away any rights given to you by the Law of the Land; it can only give you permission above and beyond those rights.

          Ahhh, ok ... from the EULA:

          If your local law allows you to recover damages from the manufacturer or installer, or Microsoft, even though this agreement does not, you cannot recover more than you paid for the software (or up to $50 USD if you acquired the software for no charge).

          1. The Indomitable Gall

            Re: So since Microsoft are not concerned about the security of windows,

            " Ahhh, ok ... from the EULA:

            If your local law allows you to recover damages from the manufacturer or installer, or Microsoft, even though this agreement does not, you cannot recover more than you paid for the software (or up to $50 USD if you acquired the software for no charge). "

            Which is equally meaningless, because if local law allows you to recover damages, it allows you to recover damages, and it's extremely rare that the damages caused will be limited to the price of the original product bought....

          2. JulieM Silver badge

            Re: So since Microsoft are not concerned about the security of windows,

            If the Law of the Land says a software vendor cannot limit claims for consequential damages, then they can print whatever they like in the EULA and it won't make a blind bit of difference.

            Well, no difference unless they get criminal charges brought against them for misrepresentation, anyway.

  6. Anonymous Coward
    Trollface

    You are spoiling us Mr El Reg

    Another 2 minute hate on MSFT. What a time to be alive!

    1. Boris the Cockroach Silver badge
      Trollface

      Re: You are spoiling us Mr El Reg

      I've been hating m$ for alot longer than 2 mins

      And for many good reasons

    2. FuzzyTheBear
      Coat

      Re: You are spoiling us Mr El Reg

      Come on bud , catch up with the times

      MS hate is a long forgotten thing in the distant past , Totally out of fashion !

      Now .. it's Oracle :)

      Speaking of which , time for my Oracle Anonymous meeting ..

      " i have admitted that Oracle is a problem , that i lost control of my database " LOL

    3. Anonymous Coward
      Anonymous Coward

      Re: You are spoiling us Mr El Reg

      Another 2 minute hate on MSFT. What a time to be alive!

      And yet here you are again, with the best seat in the audience.

    4. David Nash Silver badge

      Re: You are spoiling us Mr El Reg

      "Another 2 minute hate"

      "Hate" is a verb. Try again.

  7. 9Rune5
    Paris Hilton

    So the thing is already on my system, and...

    "Essentially, malware can use the above API to trick the OS into giving malware scanners other files"

    Uhm, so at this point the malware code has already been loaded and has ...essentially... started executing?

    I.e. the train has already left the station? The chicken left the coup? Horse is out of the stable? Paris is already on top?

    I think I will have to side with MS on this one. This bug does not help or hinder me when it comes to protecting my system. The whole point must be to keep malware from getting this far into any system.

    1. Anonymous Coward
      Anonymous Coward

      Re: So the thing is already on my system, and...

      "i.e. the train has already left the station? The chicken left the coup? Horse is out of the stable? Paris is already on top?"...

      Except Microsoft is ignoring zero day exploits / Security Service exploits that aren't in the public domain, where there is no stable door, gets set to work and pull up the drawbridge, with part of the "invisible cloaking" code batting away the malware scanners that attempt to probe.

      Iain Thompson is right/correct.

    2. Anonymous Coward
      Anonymous Coward

      Re: The chicken left the coup

      Sapristi!

      Traitor to the chicken revolution.

      Rise up chickens, you have nothing to lose but your coop

  8. John Smith 19 Gold badge
    WTF?

    " this does not pose a security threat"

    Translations

    "The developer who wrote it is now the person who reviews code to decide if they need a re-write as a security threat. He says it isn't and he wrote it."

    "We are unable to locate the source code at this time for review, but we're pretty sure it's all good."

    "We did a ground-up re write of Windows after all our devs had secure coding training. It is therefor logically impossible that this code have a fault."

    "Since no exploit code was included with the information they provided we conclude it cannot be exploited."

    Take you're pick. All of them are more honest, although like the original the response is pathetic.

    1. PeterM42
      Facepalm

      Re: " this does not pose a security threat"

      So absolutely NOTHING can go wrong

      go wrong

      go wrong

      go wrong

      go wrong

      go wrong

      go wrong

      go wrong

      go wrong

    2. amanfromMars 1 Silver badge

      Re: " this does not pose a security threat"

      "Since no exploit code was included with the information they provided we conclude it cannot be exploited."

      Hi, John Smith 19,

      Cannot be exploited maliciously renders the coding as near perfect as is possible in humans. Does Microsoft run such code or merely host IT for A.N.Others?

      And is it a Persistent Advanced Cyber Treat and a Practically Real Threat to Current Ancient Running Systems?

      Does Microsoft have Golden Geese laying Fabergé Eggs.

  9. Trollslayer
    Childcatcher

    Security problem? Not for security agencies

    Nice way to hide their spyware.

  10. Anonymous Coward
    Anonymous Coward

    Typical Microsoft

    Typical Microsoft. It's no wonder people are sick to death of using their substandard software.

    Typical JJ too, with his MS fact sheet on "haterz" (as though MS "hating" is actually a real thing and not just a PR cover story for their crap software and even worse attitude).

    1. Solmyr ibn Wali Barad

      Re: Typical Microsoft

      "as though MS "hating" is actually a real thing"

      It's neither here or there. Most techies (myself included) have had a long love-hate relationship with MS. Can't live with them, can't live without. In other words, it's an abusive relationship.

      As it happens with abusive partners, there is no standard way of coping with the situation. Some people have stood up and left. Some have succumbed to the abuse and became slaves^W true believers. Some have decided to stay around, rather begrudgingly, for a greater purpose like caring for innocents.

  11. Teiwaz

    Possibly....

    A design flaw within the Windows kernel that could stop antivirus software from recognizing malware isn't going to be fixed

    Obvious Reason: If they fixed the code, the Windows kernel would identify most the rest of Windows as malware.

  12. J. R. Hartley

    That's the spirit!

  13. jacksmith21006

    Will NOT fix Edge security flaw from yesterday. Edge should be avoided as it was hacked at will at Pawned 2017. Penetrated over and over again. Only browser unhackable in time allotted was Chrome.

    But more than anything Edge should be avoided!

    1. Anonymous Coward
      Anonymous Coward

      Pawned 2017?

      What's this, the largest annual gathering of pawn shops? I'm sure the kind of chrome bought and sold there are harder to crack.

  14. Anonymous Coward
    Devil

    Let's have some sympathy for Windows developers

    They have a large backlog of slurpingtelemetry features to add to the kernel, they have no time to fix the bugs, or Nadella fires them if he doesn't see the user data database filling quickly enough.

  15. Vanir

    Design flaw?

    So PsSetLoadImageNotifyRoutine was designed to behave as the researcher described?

    So what is the specifiation for PsSetLoadImageNotifyRoutine?

    Did the coder(s) responsible for implementing PsSetLoadImageNotifyRoutine have a spec and design?

    Did the coder(s) responsible for implementing PsSetLoadImageNotifyRoutine test their implementation against the spec and design?

    And what about code reviews, unit testing etc?

    Perhaps Maleficent Software needs not the Enlightenment of Software Engineering.

    1. amanfromMars 1 Silver badge

      Re: Design flaw? .... and Imperfect Phormations

      Perhaps Maleficent Software needs not the Enlightenment of Software Engineering. .....Vanir

      The Engagement of Software Engines in Command to Control Systems is an AI Design Floor/Platform for Quantum Controlled Networks InterNetworking Command with Control Systems via Remote Virtual Access Points/Nodes/Modules/Pods.

      1. amanfromMars 1 Silver badge

        Re: Re: Design flaw? .... and Imperfect Phormations

        And it targets Space AI Dependencies with IMPerfect AIdDictions...... with the following Feed Cash Cow in ITs Sights for Virtuous Training in Virtual Trading ........

        .“The US is more dependent on space than any other nation. Yet the threat to the US and its allies in and from space does not command the attention it merits,”warned the commission. “Those hostile to the US can acquire on the global market the means to deny, disrupt or destroy US space systems by attacking satellites in space, communication links to and from the ground or ground stations that command the satellites and process their data.” ... https://www.rt.com/news/402927-space-weapons-treaty-us/

  16. Anonymous Coward
    Anonymous Coward

    You know what you get

    Windows has been a security Swiss cheese since release 1.0.

    If you're using MS products you don't care about security or stability.

    1. Kiwi
      Trollface

      Re: You know what you get

      Windows has been a security Swiss cheese since release 1.0.

      It is not right to compare MS security to swiss cheese. If you were to try and push a probe through swiss cheese there is a very good chance the cheese would stop the probe going very far. OTOH, if you were to try to probe MS's security you would find nothing resists your attempts.

  17. Teiwaz

    Microsoft Cheese Emporium

    "Have you any Microsoft Emmentaler?"

    "It's a bit runny. Actually, it's very runny, even the cat wouldn't touch it."

  18. Will Godfrey Silver badge
    Facepalm

    Translation

    We've pissed-off/sacked all our half decent coders, so there's nobody left who can fix it.

    1. Kiwi
      Coat

      Re: Translation

      We've pissed-off/sacked all our half decent coders, so there's nobody left who can fix it.

      Not to mention replacing the entire testing/quality assurance staff with a bit of BASIC AI....

      [code]

      10 CLS

      20 PRINT "AI TEST RESULT"

      30 PRINT "AI SEZ DIS HAZ QUALYITY"

      40 GOTO 10

      [/code]

  19. Sil

    In the article

    Update 9/9 4:50 PM ET:

    Given the recent attention to this post, we’ll release the 2nd part very soon. It details a workaround for this bug, again, NOT A VULNERABILITY.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like