Microsoft is stepping up plans to make Windows more resilient to buggy software after a botched CrowdStrike update crippled millions of PCs and servers in a global IT outage.
The tech giant has been in intensive discussions with partners over the past month about adjusting security procedures around the operating system to make it more resilient to the kind of software bug that crashed 8.5 million Windows devices on July 19.
Critics say any changes by Microsoft would amount to a concession to shortcomings in the way Windows handles third-party security software that could have been addressed earlier.
However, they would also be controversial for security vendors, who would have to radically modify their products and force many Microsoft customers to adapt their software.
Last month's outages, which are estimated to have caused billions of dollars in damage by grounding thousands of flights and disrupting hospital appointments around the world, have led to increased scrutiny by regulators and industry executives over the extent to which third-party software vendors have access to the core of Windows operating systems.
Microsoft will host a summit next month for representatives from government and cybersecurity companies, including CrowdStrike, to “discuss concrete steps we will all take to improve the security and resilience of our joint customers,” Microsoft said Friday.
The meeting will take place on September 10 at Microsoft's headquarters near Seattle, according to a blog post.
Bugs in the kernel can quickly crash an entire operating system, causing the millions of “blue screens of death” that appeared worldwide after CrowdStrike’s faulty software update was pushed out to customer devices.
Microsoft told the Financial Times it was considering several options to make its systems more stable and had not ruled out blocking access to the Windows kernel altogether. Some competitors fear that option would put their software at a disadvantage compared to the company's internal security product, Microsoft Defender.
“All competitors are concerned that [Microsoft] “They will use this to choose their own products over third-party alternatives,” said Ryan Kalember, head of cybersecurity strategy at Proofpoint.
Microsoft could also require new testing procedures from cybersecurity vendors instead of modifying the Windows system itself.
Apple, which was not affected by the outages, is blocking all third-party providers from accessing the kernel of its macOS operating system, forcing them to operate in the more restricted “user mode.”
Microsoft has previously indicated that it could not do this, after it reached an agreement with the European Commission in 2009 that would give third parties the same access to its systems as Microsoft Defender.
However, some experts said that this voluntary commitment to the EU has not tied Microsoft's hands as they claimed. They argued that the company has always been free to make the changes now under consideration.
“These are technical decisions made by Microsoft that were not part of [the arrangement]said Thomas Graf, a partner at Cleary Gottlieb in Brussels who was involved in the case.
The text [of the understanding] does not require them to grant access to the kernel,” added AJ Grotto, a former senior director for cybersecurity policy at the White House.
Grotto said Microsoft was partly to blame for the July outages, as the outages would not have been possible without the decision to allow access to the kernel.
Still, while blocking kernel access could increase a system's resilience, it could also impose “real compromises” on compatibility with other software that has made Windows so popular with enterprise customers, said Forrester analyst Allie Mellen.
“That would be a fundamental change to Microsoft's philosophy and business model,” she added.
Operating exclusively outside the kernel could reduce the risk of mass outages, but it was also “very limiting” for security vendors and could make their products “less effective” against hackers, Mellen added.
By working within the kernel, security companies could gain more information about potential threats and activate their defenses before malware could take hold, she added.
An alternative option would be to copy the model used by the open-source Linux operating system. That system uses a filtering mechanism that creates a separate environment within the kernel in which software, including cyber-defense tools, can run.
But the complexity of changing the way other security software works with Windows means it will be difficult for regulators to police changes, and it will give Microsoft strong incentives to favor its own products, rivals say.
“It sounds good on paper, but the devil is in the details,” said Matthew Prince, CEO of digital services group Cloudflare.
© 2024 The Financial Times Ltd. All rights reserved. May not be redistributed, copied or modified in any way.
