\n<\/p>\n
Microsoft is still helping CrowdStrike clean up the mess<\/a> that kicked off a week ago when 8.5 million PCs went offline due to a buggy CrowdStrike update. Now, the software giant is calling for changes to Windows, and has dropped some subtle hints that it\u2019s prioritizing making Windows more resilient and willing to push security vendors like CrowdStrike to stop accessing the Windows kernel.<\/p>\n<\/div>\n While CrowdStrike has blamed a bug in its testing software<\/a> for its botched update, its software runs at the kernel level \u2014 the core part of an operating system that has unrestricted access to system memory and hardware \u2014 so if something goes wrong with CrowdStrike\u2019s app then it can take down Windows machines with a Blue Screen of Death.<\/p>\n<\/div>\n CrowdStrike\u2019s Falcon software uses a special driver that allows it to run at a lower level than most apps so it can detect threats across a Windows system. Microsoft tried to restrict third parties from accessing the kernel in Windows Vista in 2006, but was met with pushback from cybersecurity vendors<\/a> and EU regulators. However, Apple was able to lock down its macOS operating system in 2020 so that developers could no longer get access to the kernel.<\/p>\n<\/div>\n Now, it looks like Microsoft wants to reopen the conversations around restricting kernel level access inside Windows. <\/p>\n<\/div>\n \u201cThis incident shows clearly that Windows must prioritize change and innovation in the area of end-to-end resilience,\u201d says John Cable, vice president of program management for Windows servicing and delivery, in a blog post<\/a> titled \u201cthe path forward.\u201d Cable calls for closer cooperation between Microsoft and its partners \u201cwho also care deeply about the security of the Windows ecosystem\u201d to make security improvements. <\/p>\n<\/div>\n While Microsoft doesn\u2019t detail the exact improvements it will make to Windows in the wake of the CrowdStrike issues, Cable does drop a few clues about which direction Microsoft wants to see things go. Cable calls out a new VBS enclaves<\/a> feature \u201cthat does not require kernel mode drivers to be tamper resistant\u201d and Microsoft\u2019s Azure Attestation<\/a> service as examples of recent security innovations. <\/p>\n<\/div>\n \u201cThese examples use modern Zero Trust approaches and show what can be done to encourage development practices that do not rely on kernel access,\u201d says Cable. \u201cWe will continue to develop these capabilities, harden our platform, and do even more to improve the resiliency of the Windows ecosystem, working openly and collaboratively with the broad security community.\u201d<\/p>\n<\/div>\n These hints might kick off a conversation around Windows kernel access, even if Microsoft claims it can\u2019t wall off its operating system<\/a> in the same way as Apple due to regulators. Cloudflare CEO Matthew Prince has\u00a0already warned<\/a> about the effects of Microsoft locking down Windows further, so Microsoft will need to carefully consider the needs of security vendors if it wants to pursue real change.<\/p>\n<\/div>\n