Microsoft Pushes for Windows Changes After CrowdStrike Incident 86
In the wake of a major incident that affected millions of Windows PCs, Microsoft is calling for significant changes to enhance the resilience of its operating system. John Cable, Microsoft's vice president of program management for Windows servicing and delivery, said there was a need for "end-to-end resilience" in a blog post, signaling a potential shift in Microsoft's approach to third-party access to the Windows kernel.
While not explicitly detailing planned improvements, Cable pointed to recent innovations like VBS enclaves and the Azure Attestation service as examples of security measures that don't rely on kernel access. This move towards a "Zero Trust" approach could have far-reaching implications for the cybersecurity industry and Windows users worldwide, as Microsoft seeks to balance system security with the needs of its partners in the broader security community.
The comment follows a Microsoft spokesman revealed last week that a 2009 European Commission agreement prevented the company from restricting third-party access to Windows' core functions.
While not explicitly detailing planned improvements, Cable pointed to recent innovations like VBS enclaves and the Azure Attestation service as examples of security measures that don't rely on kernel access. This move towards a "Zero Trust" approach could have far-reaching implications for the cybersecurity industry and Windows users worldwide, as Microsoft seeks to balance system security with the needs of its partners in the broader security community.
The comment follows a Microsoft spokesman revealed last week that a 2009 European Commission agreement prevented the company from restricting third-party access to Windows' core functions.
False (Score:5, Informative)
The comment follows a Microsoft spokesman revealed last week that a 2009 European Commission agreement prevented the company from restricting third-party access to Windows' core functions.
No, the agreement prevented the company from restricting third-party access to Windows' core functions as long as they themselves were using them for competing products.
If Microsoft wants to restrict access to those core functions from themselves as well then they can absolutely do that.
Re: (Score:3, Insightful)
It's not semantics. It's Micro$loth's lie.
They were told that competing anti-malware software had to have the same access their products did. They chose to implement that in the stupidest way possible.
Re: False (Score:1)
EU forced MS to do something, in their anger MS chok... pardon, did it, but the lulzy way.
Now Crowdstrike disaster happened, and the EU is responsible, because without their intervention nothing would happen. /s
Re: False (Score:2)
No one cares about semantics? You provably do not even know where you are, coward.
Re: DAVE CUTLER & DRIVERS IN THE KERNEL (Score:2)
Yes, NT 3.51 also had separate memory spaces for Kernel, user, and GDI. in NT4 they merged Kernel and GDI for graphics performance and NT has been unreliable ever since
Re: (Score:2)
Going even further back, MS and IBM had a partnership developing OS/2, one of the falling outs was due to MS wanting to move the graphics into the kernel space. IBM said no.
Re: False (Score:2)
What you seem to be missing is MS wouldn't have allowed their drivers to download unverified defs that caused half the world to experience major outages. This is why MS should be able to reject third party drivers that - for example - download shit from the Internet.
Re: False (Score:2)
"MS wouldn't have allowed their drivers to download unverified defs that caused half the world to experience major outages."
Are we talking about the same company? The very same week they pushed a Windows update that caused me to have downtime AGAIN, just a few days after I had to go in to the office to have the Clownstroke problem fixed. It also could not be fixed remotely.
Re: False (Score:2)
You are not the Internet. I can't think of an MS rollout this bad. It's pretty much impossible because half their customers block automatic updates.
Re: (Score:2)
What you seem to be missing is MS wouldn't have allowed their drivers to download unverified defs that caused half the world to experience major outages. This is why MS should be able to reject third party drivers that - for example - download shit from the Internet.
I think Microsoft can refuse to endorse drivers that do things like that. There is an MS driver signing program called Windows Hardware Quality Labs that requires third party driver authors to jump through some hoops and subject their code to Microsoft's scrutiny -- and Crowdstrike's driver was WHQL certified, which means it had Microsoft's explicit stamp of approval as trustworthy. They should not have done that, IMO, not without requiring rigorous proof that the downloadable bytecode interpreter was inca
Re: (Score:1)
Re: (Score:3)
Repeating the same lie over and over isn't going to make it true.
So what are you even doing here, besides being cowardly?
We're getting sick of linking you to the law proving you're wrong
You haven't done that once, but go ahead and lie about it some more, coward.
Re: (Score:2)
Obviously. But all the moronic assholes that deeply believe their chosen God Microsoft can do not wrong have to find some lie to make it so. Hence they claim crap like that.
Re: False (Score:2)
I just hope these dickweeds who are defending mickeysoft have stock in it, at least there would be a reason to do it.
Re: (Score:2)
If Microsoft restricts both themselves and competitors from low-level kernel access, they would've made Windows into less of a general-purpose operating system, so I'd prefer if they didn't.
The real failure here was CrowdStrike releasing untested updates to a file loaded by a low-level kernel module/driver. MS seems to want to start locking down Windows and isn't letting a crisis go to waste.
Liability (Score:5, Insightful)
It seems to me that this absolves Microsoft of a lot of liability. If 3rd party software has low-level enough access to the OS to make the OS non-functional, then either that software, and / or the people that made the decision to install that software, bear the actual liability.
Now, the public perception and optics of the thing is something else entirely, as this was reported in the news as "Microsoft Windows" products failing at first, and not blaming CrowdStrike initially (as that detail wasn't really known).
So only Microsoft can write antivirus software? (Score:3)
Re: (Score:2)
calling for changes (Score:2, Funny)
Re: (Score:2)
oh like apple is doing for macs, iphones. And samsung is doing for their phones? e fuses, locked bootloaders, and proprietary firmwares.
no linux alloed there either... lol double standards much? there are more phones in the world than windows PCs, and they are all arguably computing devices.
Re: calling for changes (Score:2)
Re: (Score:3)
I don't like this argument. It's still not OK to follow monopolistic, anti-competitive business practices even if you haven't yet been convicted of anything related in court. The world of Big Tech is increasingly dominated by products with surrounding ecosystems and online services that are doing everything they can to trap users inside their walled gardens. This isn't in the best interests of anyone except the Big Tech companies who succeed in doing so.
Re: calling for changes (Score:2)
Re: (Score:2)
Apple's behavior on phones is inexcusable, and the EU is finally working on fixing that too.
You can install whatever you want on a Mac. Not sure what you're on about there.
Re: (Score:1)
My inclusion of Mac is because macos allows no kernel access from user space, and the driver ecosystem is more tight.
my argument is thus: systems with tighter restriction have less malware. full stop. no moral judgments. Security will always be counter to freedom. no argument there.
If you care about freedumb, you like old westerns bank robberys, crypto scams, popup ads, school shootings etc. all for it. go linux and unlocked hardware.
If you like law and order, lockdown and restriction is proven to really be
windows store only! (we will allow win32 apps) &am (Score:2)
windows store only! (we will allow win32 apps) & no censorship!
adult only games allowed as well.
NT4 (Score:5, Informative)
BS by Microsoft.
In Windows NT up until 3.51, drivers lived in user space. Because of perceived sluggishness of NT, in NT 4 drivers moved into kernel space. This gave a performance boost, but at the cost of system stability. In the book "Showstopper", Dave Cutler (architect of NT) railed against this sort of thing precisely because of the instability it allowed.
macOS absolutely prohibits anything other than Apple code running in kernel space, yet CrowdString's Falcon operates there just fine.
CrowdStrike caused the disaster, for sure. But Microsoft laid the foundation for this disaster back in 1994.
Linux (Score:2)
Dave Cutler (architect of NT) railed against this sort of thing precisely because of the instability it allowed.
Re:Linux (Score:5, Informative)
Well, Crowdstrike did the excact same thing to Linux servers earlier this year, sending them into kernel panic. https://www.tomshardware.com/s... [tomshardware.com]
Re: (Score:1)
article answered my question:
```
Linux users do seem to have more recourse for issues like this - including switching to an eBPF "User Mode"
```
"what does Crowdstrike need that they can't get as root?"
Sounds like a userland daemon is just fine.
Sure, some extra CPU processing perhaps but unless you're an actual router that's probably fine.
Re: (Score:2)
Linux users do seem to have more recourse for issues like this - including switching to an eBPF "User Mode"
That is senseless garbage from Tomshardware. Firstly users do not get a choice of how software is implemented. It's left up to the companies who do it.
Secondly CrowdStrike does use eBPF. And it was precisely their eBPF process which triggered a kernel panic https://access.redhat.com/solu... [redhat.com]
Re: (Score:1)
Well, Crowdstrike did the excact same thing to Linux servers earlier this year, sending them into kernel panic. https://www.tomshardware.com/s... [tomshardware.com]
That ended up being a Linux kernel bug that Crowdstrike found and a patch has fixed (thanks to the Register for the links):
https://news.ycombinator.com/i... [ycombinator.com] +
https://github.com/torvalds/li... [github.com]
CrowdStrike Engineering identified a bug in the Linux kernel BPF verifier, resulting in unexpected operation or instability of the Linux environment. In detail, as part of its tasks, the verifier backtracks BPF instructions from subprograms to each program loaded by a user-space application, like the sensor. In the bugged kernel versions, this mechanism could lead to an out-of-bounds array access in the verifier code, causing a kernel oops.
So no - not the same problem Microsoft has due to completely different operating system design.
Re: (Score:2)
Oh, so third party GPUs on x86 MacOS don't use third party kext's?
Apple silicon MacOS doesn't need third party kernel drivers any more because they have no significant high bandwidth third party peripherals any more. I don't relish them having that level of monopoly over the hardware operating in their ecosystem.
Re: (Score:3)
Oh, so third party GPUs on x86 MacOS don't use third party kext's?
Not since Big Sur, which deprecated that entire system. That update played havoc with all anti-virus software, even though they knew this change was coming.
Re: (Score:2)
Why are all the x86 drivers still kext's then? It's not like they gave Apple the source code, these are third party kernel drivers regardless of signing.
Microsoft wants cloudstrikes business (Score:2)
Re: (Score:2)
like every other vendor in the space. Apple and all phone manufacturers give the user ZERO access to kernel space and most not even root privileges.
Re: (Score:1)
Nonsense (Score:2)
Fun times... (Score:5, Insightful)
Brace for Microsoft to "let no good crisis go to waste". Fully expecting the "only acceptable solution" to coincidentally align with some other business objectives.
Re: (Score:2)
Brace for Microsoft to "let no good crisis go to waste". Fully expecting the "only acceptable solution" to coincidentally align with some other business objectives.
And why not? Just go back over the last few days of Slashdot comments to see the people demanding that Microsoft do something about it, even though the only thing they can do is limit your access to the OS further locking down and Appleifying Windows.
I'm not surprised people called for it. I'm surprised at the number of people *ON SLASHDOT* who called for it seemingly unaware of the consequences of what they are asking.
Re: (Score:2)
If you dig into the nuance, you might find fairly mild tweaks that accomplish the goal.
At a high level, if Windows eBPF provides the facilities required for their own security software as well as competitors, then that would suffice to address the needs, perhaps together with blacklisting all traditional kernel extensions including their own that no longer need to be done that way.
Now it was "just an example", but jumping straight to Azure connected implementation as an example gives me pause for concern as
Re: (Score:2)
This strategy is often the only way to get "hard" but important changes to be accepted.
I have a solution for Microsoft (Score:2)
1) First create a Linux desktop shell that mimic the Windows one.
2) Enhance the wine to include every hidden api call.
3) sell the new and improved windows OS
4) Profit
Re: (Score:2)
2) Enhance the wine to include every hidden api call.
That would more or less depend on ReactOS. Wine is built to run user-mode applications, which makes the entire driver interface a "hidden API call" from the point of view of the application. Case in point is that Wine cannot run Apple Mobile Device Service, the component of iTunes that connects to an iPhone or iPad and allows transferring music to the device's music library, because it incorporates a device driver for iPhone and iPad.
Re: (Score:2)
Microsoft has compromised backwards compatibility sufficiently that Wine has a lot less distance to go before it will be able to run as much old Windows software as Windows does.
All that's therefore really needed is enough improvements to Wine and enough changes to Microsoft's runtimes to meet it somewhere. If you want to run very old Windows software on Linux, you can do it the same way you now have to do it on Windows: Run it in a VM. Microsoft has previously supplied their operating system for this purpo
allow bitlocker auto unlock in safemode? auto role (Score:3)
allow bit locker auto unlock in safe mode? auto rollback / auto disable crashing kernel mods?
Re: (Score:2)
allow bit locker auto unlock in safe mode? auto rollback / auto disable crashing kernel mods?
In short, yes. Snapshot functionality should be used for every update which has the potential to break the system. It is already there in the system and used for updates and driver installs. This software may interfere with its function in this circumstance, in which case it should be improved so that this is not possible. And any kernel driver which self-updates should not only be required to use it, but should also be allowed no mechanism to self-update which does not make use of it.
I thought it was all the fault of the EU (Score:2)
Why does MS need to make changes ? Didn't the say it was the fault of the EU.
https://www.yahoo.com/news/microsoft-says-eu-blame-worlds-145503555.html
Did Microsoft lie ? Looks like it
Re: I thought it was all the fault of the EU (Score:3)
When security is layered properly multiple parties can be at fault.
Will this actually do stuff? (Score:2)
Every so often, I see Microsoft do something regarding Windows security. The driver model changing in Vista, which made sense. However, there are things like the AI based app scanner that came out a year or two ago, in addition to AuthentiCode signing.
So, VBS Enclaves are taking a page from Qubes OS, as well as shielded VMs and running shielded VMs in a protected memory space, this sets up a fence, but if the OS is compromised, a keylogger and something grabbing screenshots could exfiltrate or modify what
You want resilience? (Score:5, Insightful)
Disable forced automatic updates for everyone. Let people choose if and when their business is ready to perform updates. This is the biggest threat to resilience modern software is facing these days.
Re: You want resilience? (Score:2)
That's the entire business proposition of CrowdStrike. They sell themselves as a service you can outsource these decisions to. If you don't want this kind of support, you can just use MS Defender, which does allow you to hold back such change until you can vet them.
Re: (Score:3)
Disable forced automatic updates for everyone. Let people choose if and when their business is ready to perform updates.
This is first line security software. Businesses will voluntarily force the update ASAP on everyone. Not doing so opens them up to zero days. The problem here is that the fault could be triggered by simple algorithmics. Crowdstrike already gives businesses the option of when to update *the software*. Windows already gives users the option to delay windows updates, and businesses full control of how to apply windows updates.
But virus definition files, network analytics, and similar threat detection systems r
Re: (Score:1)
Re: (Score:2)
Doesn't a zero day mean you were open to the risk the whole time, but then wait for the patch to be available?
Yes, which you then apply the moment it comes out. This is basically how network and malware security work. You identify something in the wild (zero day attack) and roll out an update to address it straight away.
We're not talking about software bugs here.
Re: (Score:2)
If I understand correctly for this crowdstrike incident, the issue was not a new version of the software, just a new version of the data package that it uses, which in turn caused the old/existing version of software to crash. I d
Re: (Score:1)
Microsoft and "Zero Trust" Funny! (Score:2)
Re: (Score:2)
Which goes doubly so for computers due to the fact that very few individuals have the knowledge to, much less actually, build a full system from the silicon to the apps. Modern computing is a collaborative work by
Microsoft recent innovations :o (Score:2)
Windows is the problem. As it it can't seperate kernel and user space or tell the difference between open and run.
> This move towards a "Zero Trust" approach could have far-reaching implications for the cybersecurity industry and Windows users worldwide, as Microsoft seeks to balance system security with the needs of its partners in the broad
Posturing (Score:5, Insightful)
Half the Fortune 500 CEO's wanted to know why they were down while Big Tech was up and their CIO's had to explain that Big Tech runs on Linux and the CEO's all then said, "why the fuck are you in my office instead of moving our shit to linux?" and so Microsoft has to respond with, "nah, you don't need to do that".
Except they do.
Re:Posturing (Score:5, Insightful)
What makes you think Linux is a defence to that? Are you unaware that Crowdstrike caused a boot time kernel panics putting Linux machines into a boot loop less than 2 months ago? https://access.redhat.com/solu... [redhat.com]
As usual the dumbest security measures is thinking that you solve the problem by migrating to other software rather than actually addressing your security practices and security management.
Re:Posturing (Score:4, Insightful)
What makes you think Linux is a defence to that? Are you unaware that Crowdstrike caused a boot time kernel panics putting Linux machines into a boot loop less than 2 months ago? https://access.redhat.com/solu... [redhat.com]
As usual the dumbest security measures is thinking that you solve the problem by migrating to other software rather than actually addressing your security practices and security management.
Yeah, the reason Big Tech didn't go down wasn't because Big Tech uses Linux, it's because Big Tech doesn't use Crowdstrike, because Big Tech spends a lot of money on staff and processes to manage security risks. Other companies could do that, but it's really expensive and most of them don't have the scale to justify spending that much. So, instead, they outsource the job to Crowdstrike, et al... which is great when it works, and not so much when it doesn't.
Re: (Score:2)
Clownstroke is not needed on Linux at all and it is a bad idea using it there. It, or something like it, is pretty much required on Windows. Why do you keep pushing your lie?
Re: (Score:2)
Clownstroke is not needed on Linux at all and it is a bad idea using it there.
And there you have it ladies and gentlemen. The typical "I use Linux therefor I am secure" post combined with a complete lack of understanding of what CrowdStrike actually does (no Linux natively doesn't offer the same security features - or ... reporting features which is important if you've ever actually run an important network beyond the odd computer you have at home).
Thanks for proving my point. Your views on security on Slashdot (not just in this story here) are exactly what I'm talking about.
Re: (Score:2)
Well, given that you are a known incompetent, I am not impressed at all. Incidentally, there is no "Linux native".
Run a once and for all fix (Score:2)
Is CrowdStrike a Virus? (Score:1)
IOW Microsoft wants to be the only incompetents (Score:2)
with access to the Windows kernel. I can't say I feel safer.
Beware (Score:2)
Perhaps MS could start tightening security by revoking the secure boot keys of Linux distros. In the name of disasters like the recent one never happening again...
Re: (Score:2)
That would be a _really_ bad idea. I know the US does not have any anti-trust law that works, but the EU does.
Boot environments + Rollbacks (Score:2)
Re: (Score:2)
Even without using snapshots they could do an A/B system for the core of the OS and its kernel space drivers, and that also would solve this problem with even less technology. Even phones do it.
"Calling for?" What is this crap? (Score:1)
They are the designers of that non-resilient, insecure piece-of-trash! Any problems with it are the direct result of them not caring, messing it up and disrespecting their customers, nothing else.
"We promise we'll fix it..." (Score:2)
Why wasn't it resilient before? You weren't trying already?
Seems just like security breaches (which ironically the breaking tool was to prevent). When caught they claim they will work harder on it now.
Capitalism at it's finest. Just like the military and their 'everything is made by the lowest priced contractor' issue (still?).
Microsoft did try to fix this a while ago (Score:2)
They were designing an API that would allow user mode access to the features that security vendors were demanding. There was (no surprise) a certification and trust process that went a lot with it.
The EU thought that this would stop smaller companies from entering the space, even though the cost of the program were very little compared to the development costs of, well making the software itself. So, they told MS they would find them if they proceeded, so MS dropped it.
Regulation is good overall, but this w