Microsoft appears to be starting the conversation about moving security vendors out of the Windows kernel.
In the wake of a major disruption that saw 8.5 million PCs go offline due to a faulty update from CrowdStrike, Microsoft is stepping in to help clean up the mess and pushing for significant changes to Windows. The software giant is hinting at a renewed focus on making Windows more resilient and is considering urging security vendors like CrowdStrike to avoid accessing the Windows kernel.
The Root of the Issue
CrowdStrike attributed the widespread outage to a bug in its testing software. The company’s Falcon software operates at the kernel level, which is the core part of an operating system with unrestricted access to system memory and hardware. This high level of access means that any issues with CrowdStrike’s software can potentially crash Windows systems, resulting in the notorious Blue Screen of Death.
Falcon employs a special driver to detect threats across a Windows system by running at a lower level than most applications. Microsoft previously attempted to restrict third-party kernel access in Windows Vista back in 2006. However, this move faced resistance from cybersecurity vendors and EU regulators. In contrast, Apple successfully locked down its macOS operating system in 2020, preventing developers from accessing the kernel.
Renewed Conversations on Kernel Access
Microsoft now appears ready to revisit the topic of kernel access restrictions within Windows. John Cable, Vice President of Program Management for Windows Servicing and Delivery, emphasized the need for change and innovation in end-to-end resilience in a recent blog post titled “The Path Forward.” Cable advocates for closer cooperation between Microsoft and its partners who are committed to enhancing the security of the Windows ecosystem.
While Microsoft has not outlined specific changes it will implement following the CrowdStrike incident, Cable provided some clues about the company’s intended direction. He highlighted new security innovations such as VBS enclaves, which do not require kernel mode drivers to be tamper-resistant, and Microsoft’s Azure Attestation service.
Pushing for Modern Security Approaches
“These examples use modern Zero Trust approaches and demonstrate what can be achieved without relying on kernel access,” Cable stated. “We will continue to develop these capabilities, harden our platform, and do even more to improve the resiliency of the Windows ecosystem, working openly and collaboratively with the broad security community.”
The discussion around Windows kernel access is likely to gain momentum, even as Microsoft acknowledges it cannot restrict its operating system as tightly as Apple due to regulatory constraints. Cloudflare CEO Matthew Prince has already voiced concerns about the potential impacts of further lockdowns on Windows, suggesting Microsoft will need to balance the needs of security vendors with its goal of enhancing system resilience.
Looking Ahead
Microsoft’s call for changes comes at a critical time, highlighting the importance of collaboration and innovation in cybersecurity. As the company works to bolster the resilience of Windows, it aims to set new standards for security practices that do not compromise system stability. This approach could pave the way for more robust and secure computing environments, benefiting users and developers alike.
With the stakes high and the conversation just beginning, the tech world will be watching closely to see how Microsoft navigates these challenges and what steps it takes to fortify Windows against future threats.
