Following CrowdStrike’s unprecedented global IT outage, Microsoft has signalled changes for how it will allow security vendors to interact with the Windows kernel.
For decades, Microsoft has allowed certain third-party applications on Windows to access the kernel – the software at the core of the entire operating system (OS).
In July, US cyber security company CrowdStrike released a botched software update for one of its popular security products – which in turn caused ‘blue screens of death’ on Microsoft devices across the planet.
The event was described as the largest IT outage in history, and in August, CrowdStrike published a jargon-riddled root cause analysis which affirmed an error affecting files at the Windows kernel was to blame.
The severity and scale of the outage led Microsoft to host a security summit at its headquarters in Washington during which it invited CrowdStrike, key security partners, and government representatives to discuss “concrete steps” it could take to “improve security and safe deployment practices” for its clients.
During the summit, which took place on 10 September, Microsoft discussed “new platform capabilities” it plans to make available in Windows, with vice president of enterprise and OS security David Weston forecasting more security capabilities.
“Both our customers and ecosystem partners have called on Microsoft to provide additional security capabilities outside of kernel mode,” said Weston.
“At the summit, Microsoft and partners discussed the requirements and key challenges in creating a new platform which can meet the needs of security vendors.”
Microsoft and partners also discussed “performance needs and challenges outside of kernel mode”, as well as potential “security sensor requirements” – which is notable given the CrowdStrike outage involved a sensor product with kernel access.
Microsoft said its next step will be to “design and develop” the new out-of-kernel capability with “input and collaboration from ecosystem partners”, and that it plans to pursue “enhanced reliability” without sacrificing security.
CrowdStrike has meanwhile revealed its initial damage bill from the outage, with the company set to pay affected customers tens of millions of dollars.
Security experts welcome changes
Microsoft last tried to restrict access to the Windows kernel in 2006 when it rolled out its universally panned, security-focused OS, Windows Vista.
At the time, European Union regulators and cyber security companies rebuffed the change, with antivirus firms McAfee and Symantec famously arguing the changes would have interfered with their ability to deliver their services.
This time around, security vendors seem far more supportive of Microsoft’s coming changes.
“Responsible security starts with vendor’s architecture, coordination with the ecosystem, and prioritisation of resilience for all,” said Karan Sondhi, chief technology officer of cyber security company Trellix.
Kevin Simzer, chief operating officer of cyber security company Trend Micro, applauded Microsoft for “opening its doors” to collaboration with endpoint security leaders, while Crowdstrike competitor Sentinel One said it was “fully committed” to helping Microsoft’s goal of “reducing the chance of future events like the one caused by CrowdStrike”.
CrowdStrike itself voiced support of Microsoft’s efforts, with company vice president Drew Bagley saying CrowdStrike “appreciated the opportunity to join these important discussions with Microsoft and industry peers on how best to collaborate in building a more resilient and open Windows endpoint security ecosystem”.
Microsoft further encouraged its customers to “increase resiliency” in their current deployments by adopting business continuity planning, backups and major incident response plans.
Gamers and Linux users jump the gun
While the tech giant first signalled plans to reduce the need for kernel access in July, The Verge speculated Microsoft in the early stages of designing a security platform which can move vendors such as CrowdStrike out of the kernel altogether.
Such a change would not only require extensive changes to how security vendors and antivirus software deliver and maintain their solutions, but would also have a run-on effect for gamers who have long lamented that mandatory anti-cheating software operate at the kernel level.
Anti-cheating tools, such as Riot Games’ ‘Vanguard’, are designed to prevent PC players from using exploits or unapproved third party tools while gaming online.
These tools typically utilise the kernel to detect such exploits, causing long-lasting privacy and security concerns among gaming circles.
“The issue with Vanguard, and with any program that runs in kernel mode, is that they have access to everything and power to do anything, for good or for bad,” said Reddit user Glittering-Spite234.
“Running in kernel mode on your computer is every hacker's dream.”
On social media site X, gamers celebrated that Microsoft’s latest announcements could impact anti-cheat tools and enable more games to run on Linux systems – which are typically incompatible with kernel-level anti-cheat tools.
But as Linux users spruiked a coming shift in the gaming market, dissenters were quick to point out Microsoft’s plans are not set in stone.
“It remains imperative that kernel access remains an option,” said European cyber security company ESET, which attended Microsoft’s summit.
Information Age meanwhile asked Microsoft for further clarity on whether kernel access would be entirely removed but was told there was no further information available at this time.
