Microsoft appears to be pushing for security changes to Windows and greater cooperation with its cyber security partners, after a global outage saw around 8.5 million computers crash due to a bug in a software update released by security company CrowdStrike.
CrowdStrike’s security code runs at the kernel level in Microsoft's Windows — a core part of the operating system which has a high level of access to things like hardware and system memory.
This deep access means CrowdStrike’s Falcon security software can better detect threats across a computer system, but it can crash Windows computers if it runs into major issues.
That’s exactly what happened in the major Windows outage on 19 July, and now Microsoft appears to be shifting its security tactics.
John Cable, vice president of Windows servicing and delivery at Microsoft, wrote in a blog post that the CrowdStrike incident showed “Windows must prioritize change and innovation in the area of end-to-end resilience”.
“These improvements must go hand in hand with ongoing improvements in security and be in close cooperation with our many partners,” he said.
Cable pointed to a new feature called VBS enclaves (which “does not require kernel mode drivers to be tamper resistent [sic]”) and improvements to Microsoft’s Azure cloud service as examples of recent security improvements.
“These examples use modern Zero Trust approaches and show what can be done to encourage development practices that do not rely on kernel access,” he said.
“We will continue to develop these capabilities, harden our platform, and do even more to improve the resiliency of the Windows ecosystem, working openly and collaboratively with the broad security community.”
CrowdStrike blamed the recent outage on an issue in its testing software, which allowed a bug to be released, causing Falcon to malfunction.
Cable said 5,000 Microsoft support engineers had been working around the clock since the outage “to help bring critical services back online”.
“Our focus continues to be on helping our customers recover from this incident,” he said.
“We will practice transparency in sharing learnings, best practices, and, eventually, more detailed discussions that include changes designed to strengthen the broader ecosystem moving forward.”
The outage which began on 19 July impacted around 8.5 million computers running Microsoft's Windows. Photo: Shutterstock
Microsoft releases deep dive into outage
On Saturday, Microsoft shared a technical overview of the Windows outage caused by CrowdStrike's software update, written by its vice president of enterprise and OS security, David Weston.
Weston confirmed in the post that Microsoft agreed with CrowdStrike’s analysis that the outage was the result of “a read-out-of-bounds memory safety error”, caused by CrowdStrike’s software trying to access a place in each computer’s memory which it was not supposed to.
Weston explained that security systems often used kernel access because of its performance, tamper resistance, and its visibility across a computer system, but said Microsoft was working to reduce the need for kernel access.
“It is possible today for security tools to balance security and reliability,” he said.
“For example, security vendors can use minimal sensors that run in kernel mode for data collection and enforcement limiting exposure to availability issues."
Weston said Microsoft would work with security companies to “modernise their approach, helping to support and even increase security along with reliability”.
He said this would include things such as “providing safe rollout guidance", “technologies to make it safer to perform updates” and “reducing the need for kernel drivers to access important security data”.
Kernel access a recurring issue
Microsoft has previously attempted to stop third parties from having access to the Windows kernel.
The company tried to restrict kernel access in Windows Vista in 2006 using a feature called PatchGuard, but European Union regulators and cyber security companies pushed back.
Antivirus firms McAfee and Symantec were among the companies which opposed the changes, and argued it would have prevented them from delivering the protection they sought to provide.
Microsoft backed down in October 2006, and said it would allow access to the kernel for security monitoring.
Apple’s desktop operating system macOS allows programs to run what are known as system extensions, which don’t require kernel access.
The latest version of CrowdStrike’s Falcon runs as a system extension on macOS Big Sur and later, which meant Apple computers did not fall victim to the recent outage.
A Microsoft spokesperson reportedly told the Wall Street Journal that the tech giant could not legally wall off its operating system like Apple does due to an understanding it previously reached with the European Commission, following a complaint.
In 2009, Microsoft agreed with a European Commission decision to give security vendors the same level of access to Windows that Microsoft has, as part of a push for greater interoperability.
