What you need to know
- A massive outage caused by a CrowdStrike bug caused 8.5 million PCs to crash and affeted countless people and businesses.
- The outage was caused by a CrowdStrike update with a bug that was able to affect PCs due to the app having kernel access to Windows 11.
- In response to the outage, Microsoft appears to be interested in moving away from security software having Windows 11 kernel access.
The recent CrowdStrike outage caused 8.5 million PCs to crash, affected millions of people, and potentially cost businesses billions of dollars. Referred to by many as the “digital pandemic,” the outage has drawn response from CrowdStrike, Microsoft, and security experts. The outage was caused by a CrowdStrike bug, and Microsoft is looking into options that could make similar outages impossible in the future.
“The recent CrowdStrike incident underscores the need for mission-critical resiliency within every organization, and our unique ability to support the change required,” said Microsoft’s John Cable, vice president of program management for Windows servicing and delivery.
CrowdStrike, and some other pieces of security software, run at a kernel level on Windows 11. That setup gives security tools like CrowdStrike access to a PC’s memory and parts of the operating system usually closed off to other applications. This is possible at the moment because kernel access allows a piece of software to monitor a system, but it also means that a faulty driver in something like CrowdStrike can cause a PC to crash.
Cable explained that the recent CrowdStrike outage “shows clearly that Windows must prioritize change and innovation in the area of end-to-end resilience.” While Cable did not specifically say that Microsoft will shift security software away from having kernel access, the examples he shared are for security methods that do not require accessing the Windows kernel.
VBS enclaves, which Cable highlighted, does not require kernel access. Microsoft Azure Attestation service is another security measure that could protect systems without putting a PC at the same risks presented by an app having kernel access.
“These examples use modern Zero Trust approaches and show what can be done to encourage development practices that do not rely on kernel access,” said Cable. “We will continue to develop these capabilities, harden our platform, and do even more to improve the resiliency of the Windows ecosystem, working openly and collaboratively with the broad security community.”
If Microsoft moved away from allowing security apps to have kernel access, a buggy update from CrowdStrike or another app would not be able to cause PCs to crash. Other types of attacks would still be possible, of course, as cybersecurity is incredibly complex, but the specific type of issue that caused the CrowdStrike outage would not be possible.
