Microsoft calls for Windows change, resilience after CrowdStrike outage

Microsoft is still helping CrowdStrike clean up the mess that started a week ago when 8.5 million PCs went offline due to a buggy CrowdStrike update. Now the software giant is calling for changes to Windows and has dropped some subtle hints that it is prioritizing making Windows more resilient and willing to pressure security vendors like CrowdStrike to stop accessing the Windows kernel.

Although CrowdStrike blamed a bug in its testing software for its failed update, its software runs at the kernel level – the central part of an operating system that has unrestricted access to system memory and hardware – so if something goes wrong wrong with the CrowdStrike app, so it can crash Windows machines with a Blue Screen of Death.

CrowdStrike’s Falcon software uses a special driver that allows it to run at a lower level than most applications so it can detect threats on a Windows system. Microsoft attempted to restrict third-party access to the Windows Vista kernel in 2006, but was met with resistance from cybersecurity vendors and EU regulators. However, Apple managed to lock down its macOS operating system in 2020 so that developers could no longer access the kernel.

Now, it appears that Microsoft wants to reopen conversations about restricting kernel-level access within Windows.

“This incident clearly shows that Windows must prioritize change and innovation in the area of ​​end-to-end resiliency,” said John Cable, vice president of program management for Windows servicing and delivery. in a blog post entitled “the way forward”. Cable calls for closer cooperation between Microsoft and its partners “who also care deeply about the security of the Windows ecosystem” to make security improvements.

While Microsoft doesn’t detail the exact improvements it will make to Windows in the wake of the CrowdStrike issues, Cable does give some clues about the direction Microsoft wants things to go. Cable calls a new VBS Enclaves feature “that does not require kernel mode drivers to be tamper-resistant” and Microsoft Azure Attestation service as examples of recent security innovations.

“These examples use modern Zero Trust approaches and show what can be done to encourage development practices that don’t rely on kernel access,” says Cable. “We will continue to develop these capabilities, strengthen our platform, and do even more to improve the resiliency of the Windows ecosystem by working openly and collaboratively with the broad security community.”

These tips can start a conversation about accessing the Windows kernel, even though Microsoft claims it can’t lock down its operating system in the same way as Apple due to regulators. Cloudflare CEO Matthew Prince already warned about the effects of Microsoft’s further blocking of Windows, so Microsoft will need to carefully consider the needs of security vendors if it wants to pursue real change.