To find out whether the lawsuit has merit, sometimes you have to sue. It could be an honest mistake and then there's no issue. However, the execs could have made decisions that made something like this happening only a matter of time, for instance firing QA staff. You would want to find out if this is the case so things like this can be avoided in the future through punitive measures. There's no point in taking CS's word for it.

Microsoft already has a locked down version of Windows - S Mode.

Their software is supposed to prevent rootkits. If a rootkit is already loaded there's no guarantee, it will be safer to parse in kernel mode. It's a risk that is simply not worth it.

This a 1000 times. Microsoft called that out as well in their analysis of the issue. And they also effectively did roll out on a Friday. Alot of people spent their weekends cleaning up their mess.

We're conflating two things - providing a usermode API for security vendors and locking down the kernel. It seems like the EU killed locking down the kernel to only MS. MS can still provide a functional usermode API for security vendors and let customers choose.

MS does minimal testing themselves for driver signing. Driver developers are expected to understand how to develop reliable drivers and test their drivers properly. The issue is CS decided to use a risky architecture where the driver was directly processing a downloaded content file.

All OSs will crash if a kernel module accesses invalid memory. That's not just a Microsoft thing. The risk of ignoring it is too great. You can blame Microsoft for creating an OS that requires third party kernel code to secure it. However, it's too late now. If they were to try to lock down the kernel too many people would complain. It seems the direction they're going in is to try to provide safer alternatives to kernel drivers.

Crowdstrike was using a risky architecture. The driver should not have been parsing directly from a configuration file downloaded from the internet. It should have been processed through a user mode service and then sent to the driver over a well tested interface. In the worst case scenario, the service crashes. It's good to minimize kernel code to prevent things like this from happening. It would be interesting to find out why the CS developers thought that was a good idea. Maybe, some developers complained it was a bad idea and it was never taken seriously.

Not only are they in the security business, they are the market leader. They've probably been taking shortcuts along the way to get there.

I'm sure if they could go back in time MS would do things differently. However, it's hard to fault them since at that point in time security simply wasn't taken as seriously as it is today. For example, everyone was running as administrator by default.

Agreed that it would be crazy to make a claim that automated tools can find all invalid pointer references. However, if a basic run of VS code analysis in their driver did find this defect that would suggest basic negligence. Kernel developers are supposed to understand what's at stake and code more carefully. They should be using automated code analysis tools and Driver Verifier at minimum. CrowdStrike also chose an architecture that complicates testing by acting directly on updateable configuration data from kernel mode. The configuration should be processed through a usermode service and then sent to the driver through a well defined and tested device driver interface (DDI). MS suggests this approach. In the worst case scenario, the usermode service crashes and the system continues to run.

The MS driver testing doesn't go that far. It does some basic tests and makes sure it's not malware. They simply don't have the resources or know how to thoroughly test each code path of a third party driver. See https://github.com/olljanat/Bl.... They provide resources and documentation on how to create a reliable driver and as a kernel driver developer you're expected to realize you can't crash the system.

Basically, anything that criticizes Microsoft/Windows automatically gets modded +5.

It's not an application that brough the OS down. It's a kernel driver. The same thing would happen for all OSs that allow for third-party kernel modules. It's expected as the developer of a kernel driver you don't do things to crash the OS.

You can already disable forced automatic updates through group policy.