Microsoft has announced plans to make changes to Windows that will allow security providers to operate outside of the Windows kernel. These changes were discussed at a security summit held at Microsoft’s headquarters in Redmond, Washington, to discuss how to make Windows more resilient following the massive CrowdStrike incident in July.
The CrowdStrike incident affected 8.5 million Windows PCs and servers, highlighting how critical access to the Windows kernel is to security. CrowdStrike runs in the operating system’s kernel, giving it unrestricted access to system memory and hardware. A buggy update caused systems to experience a Blue Screen of Death error when booting, rendering millions of devices unusable.
Following the incident, Microsoft signaled changes to allow security vendors to operate outside of the Windows kernel and proposed a number of improvements to prevent such bugs from happening again, but Microsoft faced pressure from both partners and regulators not to make these changes unilaterally.
Microsoft meets with security software developers
The software giant met with security vendors such as Broadcom, Sophos, Trend Micro to discuss security platform requirements and challenges. “Our customers and partners alike have been calling on Microsoft to provide additional security capabilities outside of kernel mode. These new capabilities can be used in conjunction with secure deployment practices to create highly reliable security solutions,” said David Weston, Microsoft’s Vice President of Operating System Security.
Microsoft also addressed the performance needs of running outside of kernel mode and the challenges that security vendors face in this area. The company also highlighted the need for tamper-proofing and security sensors for security products. “Microsoft will continue to design and develop this new platform capability in collaboration with ecosystem partners,” Weston said, adding that the project will continue.
While Microsoft has not yet publicly said it will completely close access to the Windows kernel, it is understood that these changes are aimed at creating a platform that will allow CrowdStrike and other security providers to operate outside the kernel in the long term. Microsoft previously took a similar step with Windows Vista in 2006, but the move was met with a huge backlash from cybersecurity providers and regulators.
This time around, security vendors are more receptive to Microsoft’s proposals. “These open discussions were an important opportunity to improve the resilience of both Microsoft Windows and the endpoint security ecosystem,” said Sophos CEO Joe Levy. Trend Micro COO Kevin Simzer also praised Microsoft’s continued collaboration with security leaders. CrowdStrike, which attended the summit, also commended Microsoft’s efforts. “We welcomed the opportunity to collaborate with Microsoft to build a more open and resilient Windows endpoint security ecosystem to further secure our customers,” said Drew Bagley, CrowdStrike’s vice president of privacy and cyber policy.
However, the entire security world is not happy with Microsoft’s potential changes. Cloudflare CEO Matthew Prince noted that Microsoft could make these changes unilaterally, and that regulators should keep a close eye on the situation. Prince said that making the Windows kernel completely Microsoft-specific could be detrimental to the entire industry. According to Prince, the possibility of Microsoft granting privileged access to its own security products could limit the ability of other vendors to provide system security.
The summit comes amid Microsoft’s broader cybersecurity transformation, as it begins to evaluate employee performance on its security efforts following a spate of security incidents and criticism in recent years.