Microsoft is still helping CrowdStrike clean up the mess that began a week ago when 8.5 million PCs were taken offline due to a CrowdStrike update error. Now the software giant is calling for changes to Windows, suggesting it is prioritizing making Windows more resilient and is willing to push security vendors like CrowdStrike to stop accessing the Windows core.
Although CrowdStrike blamed its update failure on a bug in its test software, its software runs at the kernel level (the core part of the operating system with unrestricted access to system memory and hardware), so if CrowdStrike’s application If something goes wrong with the program, it will run at the core level.
CrowdStrike’s Falcon software uses a special driver that allows it to run at a lower level than most applications and therefore can detect threats on Windows systems. In 2006, Microsoft tried to restrict third-party access to the Windows Vista kernel, but faced resistance from network security vendors and EU regulators. However, Apple locked down the macOS operating system in 2020, so developers can no longer access the core.
Now, Microsoft seems to be hoping to reopen the conversation about restricting access to the core layers within Windows.
“This incident clearly demonstrates that Windows must prioritize change and innovation in the area of end-to-end resiliency,” John Cable, vice president of Windows Services and Delivery Project Management, said in a blog post titled “The Path Forward.” Cable called for Microsoft is working more closely with its partners who “also care deeply about the security of the Windows ecosystem” to improve security.
While Microsoft didn’t detail what specific improvements it would make to Windows in the wake of the CrowdStrike issue, Cable did drop some clues about the direction Microsoft hopes to see things go. Cable cited the new VBS enclaves feature “that does not require core-mode driver tamper protection” and Microsoft’s Azure Attestation Service as examples of the latest security innovations.
“These examples use a modern zero-trust approach and demonstrate what can be done to encourage development practices that do not rely on core access,” Cable said. “We will continue to develop these features, strengthen our platform, and take additional steps to increase the resiliency of the Windows ecosystem, collaborating openly with the broad security community.”
These hints are likely to spark discussions around Windows core access, even as Microsoft claims it can’t isolate its operating system like Apple does due to regulatory reasons. Cloudflare CEO Matthew Prince has warned of the impact of Microsoft further locking down Windows, so Microsoft will need to carefully consider the needs of security vendors if it wants to pursue real change.
