Microsoft appears to be starting the conversation about moving security vendors out of the Windows kernel.
Microsoft is still assisting CrowdStrike in resolving the aftermath of a recent incident where 8.5 million PCs went offline due to a faulty CrowdStrike update. The tech giant is now advocating for changes to Windows, hinting at a shift towards making Windows more resilient and urging security vendors like CrowdStrike to refrain from accessing the Windows kernel.
While CrowdStrike has attributed the issue to a bug in its testing software, its software operates at the kernel level, which grants unrestricted access to system memory and hardware. Therefore, any malfunction in CrowdStrike’s application can lead to Windows machines crashing with a Blue Screen of Death.
CrowdStrike’s Falcon software utilizes a special driver to operate at a lower level than most applications, enabling it to identify threats across a Windows system. Microsoft previously attempted to limit third-party access to the kernel in Windows Vista in 2006, facing opposition from cybersecurity vendors and EU regulators. However, Apple successfully secured its macOS operating system in 2020, preventing developers from accessing the kernel.
Now, Microsoft seems inclined to revisit the discussion on restricting kernel-level access within Windows. John Cable, vice president of program management for Windows servicing and delivery, emphasized the need for change and innovation in enhancing end-to-end resilience in a blog post titled “the path forward.” Cable called for increased collaboration between Microsoft and its partners to enhance security measures.
Although Microsoft did not outline specific improvements following the CrowdStrike incident, Cable hinted at the direction Microsoft aims to take. He highlighted features like VBS enclaves and Microsoft’s Azure Attestation service as examples of recent security advancements that do not rely on kernel access.
These developments may spark conversations about Windows kernel access, despite Microsoft’s acknowledgment of regulatory constraints. Cloudflare CEO Matthew Prince has cautioned against the implications of further locking down Windows, prompting Microsoft to carefully consider the requirements of security vendors in pursuing substantial changes.
