A year after the Crowdstrike fiasco that crashed millions of PCs, Microsoft is closing external access to the Windows kernel to prevent it from happening again.
What has been anticipated for a year is now a reality. Microsoft is about to roll out a new endpoint security platform for Windows, which drastically changes how security software installed on your PC will function. Access to the Windows kernel is being closed off to external parties.
To understand why Microsoft is doing this, we need to rewind the clock eleven months. A failed Crowdstrike update caused 8.5 million Windows PCs to crash simultaneously worldwide, resulting in total chaos and significant financial damage. The update could have such a large impact because Crowdstrike’s software, and that of other vendors, is deeply rooted in the Windows kernel.
read also
Thanks to Crowdstrike: Microsoft Kicks External Software out of the Windows Kernel
Solomon’s Agreement
Kicking external partners out of the kernel was not straightforward. Security software is only effective because it gets high privileges in Windows, but it has a clear downside when things go wrong. Moreover, Microsoft had to allow external access under pressure from the EU. Thus, Microsoft had to find a new solution that satisfies both partners and regulators.
In an interview with The Verge, Microsoft emphasizes that the new system was developed in collaboration with security vendors and nothing is imposed on them. Some parties provided Microsoft with papers ‘hundreds of pages long’ with suggestions, according to David Weston, head of Windows security.
The aim is to place external software in an isolated environment where it can run with the same privileges as a kernel application, without actually having to run code in the kernel. Microsoft believes this system can be applied more broadly than just security. Partners now have the opportunity to test the system in preview and provide feedback, including Crowdstrike, to whom everything is owed.
Lesson Learned
A year after the Crowdstrike fiasco, Microsoft is rolling out new security applications for Windows. The “quick recovery mode” sends your device to a secure environment when it cannot start, where it gains access to a network to send diagnostic data to Microsoft. “We wish we had this last year”, says Weston to The Verge.
The most visible change Microsoft is making is in the iconic BSOD screen. It will soon no longer be a blue screen, but will turn black.