Microsoft is still helping CrowdStrike clean up the mess that kicked off a week ago when 8.5 million PCs went offline due to a buggy CrowdStrike update. Now, the software giant is calling for changes to Windows, and has dropped some subtle hints that it’s prioritizing making Windows more resilient and willing to push security vendors like CrowdStrike to stop accessing the Windows kernel.
While CrowdStrike has blamed a bug in its testing software for its botched update, its software runs at the kernel level — the core part of an operating system that has unrestricted access to system memory and hardware — so if something goes wrong with CrowdStrike’s app then it can take down Windows machines with a Blue Screen of Death.
CrowdStrike’s Falcon software uses a special driver that allows it to run at a lower level than most apps so it can detect threats across a Windows system. Microsoft tried to restrict third parties from accessing the kernel in Windows Vista in 2006, but was met with pushback from cybersecurity vendors and EU regulators. However, Apple was able to lock down its macOS operating system in 2020 so that developers could no longer get access to the kernel.
Now, it looks like Microsoft wants to reopen the conversations around restricting kernel level access inside Windows.
“This incident shows clearly that Windows must prioritize change and innovation in the area of end-to-end resilience,” says John Cable, vice president of program management for Windows servicing and delivery, in a blog post titled “the path forward.” Cable calls for closer cooperation between Microsoft and its partners “who also care deeply about the security of the Windows ecosystem” to make security improvements.
While Microsoft doesn’t detail the exact improvements it will make to Windows in the wake of the CrowdStrike issues, Cable does drop a few clues about which direction Microsoft wants to see things go. Cable calls out a new VBS enclaves feature “that does not require kernel mode drivers to be tamper resistant” and Microsoft’s Azure Attestation service as examples of recent security innovations.
“These examples use modern Zero Trust approaches and show what can be done to encourage development practices that do not rely on kernel access,” says Cable. “We will continue to develop these capabilities, harden our platform, and do even more to improve the resiliency of the Windows ecosystem, working openly and collaboratively with the broad security community.”
These hints might kick off a conversation around Windows kernel access, even if Microsoft claims it can’t wall off its operating system in the same way as Apple due to regulators. Cloudflare CEO Matthew Prince has already warned about the effects of Microsoft locking down Windows further, so Microsoft will need to carefully consider the needs of security vendors if it wants to pursue real change.