Having this code fail because of an error in an external file is just sad.
FWIW, in this case the external file contains P-code which then gets to run in kernel context.
I think that attempting to blame Microsoft is a red herring or an attempt to try and drag some bigger pockets into the blame pool in hopes of some future remuneration from those bigger pockets.
No, there is sufficient reason to also blame Microsoft. Tools like CrowdStrike must run in Kernal mode in part because Microsoft doesn’t really give them a lot of other options. Back when NT 3.1 was being developed, Microsoft made the decision to only support Ring 0 and Ring 3 (Kernal mode/user mode respectively) for performance reasons — switching between rings can take 150+ clock cycles, and can be slow. But the Intel CPU supports four Rings of execution, with Ring 1 intended for device drivers.
Modern Windows works in this way to this day. Had Microsoft been more focussed on safety and less on raw performance, drivers could run in Ring 1 and could be isolated from the kernel. A Ring 1 CrowdStrike Falcon Sensor driver could, in theory, be isolated from the system when it misbehaved, allowing the system to remain online. But Microsoft being Microsoft, they chased performance over safety — so we have a situation where an errant driver like the Falcon sensor can bring the whole system down.
If you want to see a system that does it right, look at how Falcon Sensor runs on macOS. There the Falcon Sensor is written as a modern System Extension, and leverages DriverKit Endpoint Security extensions — where it has all the access it needs to system events, but runs completely in user mode. Should CrowdStrike on macOS run into a similar problem, the system can just isolate it and shut it down without crashing the entire system like Windows.
What the FSF is failing to say here is that Linux has the same basic flaws that Windows has when it comes to misbehaving drivers. Linux also only supports Ring 0/Ring 3, and doesn’t provide a way for something like the Falcon Sensor to run in user mode ala macOS. Indeed, certain Linux distros with certain kernel revisions have already had kernel panics due to CrowdStrike earlier this year.
You can’t wait a week for your security software to be updated when there are actors online active exploiting zero-day vulnerabilities. CrowdStrike absolutely screwed the pooch on this one. But both Microsoft and Linux still assume we live in the device driver works of the 1990s, where you release a driver and maybe just do a few bug fixes every few months, and which eventually becomes stable enough not to change. In the 202X online world we need both security software that is constantly updated and appropriate driver protection guarantees to simply disable misbehaving divers like this one. Unfortunately, the only major OS doing any work in this area seems to be Apple — Linux could learn something from them in this regard. Maybe instead of claiming that being able to choose from multiple OS vendors using the same kernel is the solution the FSF could instead work with the Linux Kernel maintainers to look at mechanisms to isolate drivers, so when they misbehave they don’t take down the entire system with them.
Yaz