Microsoft is on an apology tour following the disastrous CrowdStrike incident, which brought down 8.5 million Windows PCs.
In what has been described as a major “oops,” Microsoft is now proposing changes to Windows that will allow security vendors such as CrowdStrike to operate outside of the Windows kernel.
This marks a major turn of events after years of debate over who should have access to the kernel, the operating system's all-important core that can do almost anything. Yes, it is past time for them to take action.
Unless you've been living under a rock, CrowdStrike, a well-known cybersecurity firm, released an update in July for its Falcon Sensor, which ran at the Windows kernel level.
Normally, this wouldn't be a big deal, but this time it caused widespread chaos, resulting in the dreaded Blue Screen of Death on millions of systems.
As if IT departments weren't already stressed out. Since then, Microsoft has been in damage control mode, scrambling to repair the damage and reconsider how it handles security vendors in Windows.
After facing backlash and a PR nightmare, Microsoft realized it couldn't just push through changes without consulting its partners.
So they held a security summit at their headquarters in Redmond, Washington, where industry leaders and government officials met to discuss the next steps.
They invited the biggest names in the cybersecurity industry, including CrowdStrike, Broadcom, and Sophos, for a little heart-to-heart.
What is the main topic? How to enable these companies to operate securely without direct access to the kernel.
David Weston, Microsoft's VP of Enterprise and Operating System Security, admitted that partners have been pushing for more “security capabilities outside of kernel mode.”
Translation: Please stop destroying our systems.
In the classic “we messed up, but let's focus on the future” style, Microsoft is now considering developing a new platform to assist security vendors in operating safely.
They aren't blocking kernel access just yet, but they are encouraging companies like CrowdStrike to reconsider how deeply into Windows internals they really need to go.
Weston stated that their current approach entails working on a platform separate from the kernel, complete with anti-tampering measures and security sensors.
It's like creating a safe playground for children so they don't injure themselves—or crash 8.5 million computers.
Surprisingly, the tone at the summit was “We appreciate the effort” rather than “This is all your fault.”
Sophos CEO Joe Levy called it a “welcome opportunity,” and CrowdStrike's Drew Bagley was “appreciative” of Microsoft's new approach.
You could almost hear a collective sigh of relief. However, not everyone is thrilled. Cloudflare CEO Matthew Prince threw some shade on social media, warning that Microsoft may end up giving itself privileged access while locking out everyone else.
Regulators in the United States and Europe are paying close attention to how Microsoft handles this newfound collaboration.
What's next?
The road ahead is, to say the least, complicated. Microsoft has not provided a timeline for these changes, but it does promise increased transparency and community engagement.
This means they'll be speaking with vendors, researchers, and possibly even the irritated IT professionals who had to deal with the aftermath of the CrowdStrike incident.
Microsoft's goal is to develop a new platform that can operate outside of the kernel, reducing the likelihood of another massive crash. While they're at it, they're developing “better audit capabilities” in case things go wrong again.
This fiasco has served as a wake-up call not only for Microsoft, but for the entire cybersecurity industry.
Operating at the kernel level provides immense power, but as the CrowdStrike incident demonstrated, it also carries significant risk.
Microsoft finally appears to be grasping the delicate balance between security and stability, which they should have focused on a long time ago.