Microsoft hosts security summit after CrowdStrike disaster

Photo of a Windows BSOD

Microsoft is stepping up its plans to make Windows more resilient to buggy software after a botched CrowdStrike update brought millions of PCs and servers to a halt in a global IT outage.

The tech giant has intensified talks with partners over the past month about adapting security procedures around its operating system to better withstand the software bug that crashed 8.5 million Windows devices on July 19.

Critics say any change by Microsoft would be an admission of deficiencies in Windows' handling of third-party security software that could have been fixed sooner.

However, they would also cause controversy among security vendors, who would have to make radical changes to their products and force many Microsoft customers to adapt their software.

Last month's outages – which resulted in thousands of flight cancellations and hospital disruptions around the world and caused billions of dollars in damage – sparked increased attention among regulators and business leaders about the extent of third-party software access to the kernel of Windows operating systems.

Microsoft will host a summit next month for government officials and cybersecurity companies, including CrowdStrike, to “discuss concrete steps we will all take to improve security and resilience for our mutual customers,” Microsoft said Friday.

The meeting will take place on September 10 at Microsoft's headquarters near Seattle, a blog post said.

Errors in the kernel can quickly cause an entire operating system to crash, triggering the millions of “blue screens” that appeared around the globe after CrowdStrike’s faulty software update was sent to customers’ devices.

Microsoft told the Financial Times that it is considering several options to make its systems more stable, including blocking access to the Windows kernel entirely – an option that some competitors fear would put their software at a disadvantage compared to the company's own security product, Microsoft Defender.

“All competitors are concerned that [Microsoft] will use this to favor their own products over third-party alternatives,” said Ryan Kalember, head of cybersecurity strategy at Proofpoint.

Microsoft can also require cybersecurity solution providers to implement new testing procedures rather than adapting the Windows system itself.

Apple, which was not affected by the outages, blocks all third-party developers from accessing the kernel of its MacOS operating system, forcing them to operate in the more restricted “user mode.”

Microsoft had previously stated that this was not possible. The company had reached an agreement with the European Commission in 2009 that it would grant third parties the same access to its systems as Microsoft Defender.

However, some experts said that Microsoft's hands were not tied by this voluntary commitment to the EU as claimed. The company was always free to make the changes now being considered.

“These are technical decisions by Microsoft and are not part of [the arrangement]”, said Thomas Graf, a partner at Cleary Gottlieb in Brussels who was involved in the case.

“The text [of the understanding] does not require them to grant access to the kernel,” added AJ Grotto, a former senior director for cybersecurity policy at the White House.

Grotto said Microsoft bears some of the blame for the July outages because the outages would not have been possible without the company's decision to allow access to the kernel.

While blocking kernel access can increase a system's resilience, it can also entail “real compromises” in compatibility with other software that has made Windows so popular with business customers, says Forrester analyst Allie Mellen.

“This would be a fundamental change in Microsoft’s philosophy and business model,” she added.

While operating exclusively outside the kernel can reduce the risk of mass outages, it is also “very limiting” for security vendors and can make their products “less effective” against hackers, Mellen added.

By operating within the kernel, security companies would have more information about potential threats and could activate their defense tools before malware could take hold, she added.

An alternative approach could be to replicate the model used by the open source Linux operating system, which uses a filtering mechanism that creates a separate environment within the kernel in which software, including cyber defense tools, can run.

But the complexity of redesigning how other security software works on Windows will make it difficult for regulators to control any changes, and Microsoft will have strong incentives to favor its own products, rivals say.

“It sounds good on paper, but the devil is in the details,” said Matthew Prince, CEO of digital services group Cloudflare.

© 2024 The Financial Times Ltd. All rights reserved. May not be redistributed, copied or modified in any way.

Leave a Reply