EU gave CrowdStrike the keys to the Windows kernel, claims Microsoft
Was a 2009 agreement on interoperability to blame?
Did the EU force Microsoft to let third parties like CrowdStrike run riot in the Windows kernel as a result of a 2009 undertaking? This is the implication being peddled by the Redmond-based cloud and software titan.
As the tech industry deals with the fallout from the CrowdStrike incident, Microsoft is facing questions. Why is software like CrowdStrike permitted to run at such a low level, where a failure could spell disaster for the operating system?
To be clear, Microsoft is not to blame for the now-pulled update that continues to cause chaos. However, the underlying architecture that allows third parties to run deeply integrated software merits closer examination.
According to a report in the Wall Street Journal, a Microsoft spokesperson pointed to a 2009 undertaking by the IT giant with the European Commission as a reason why the Windows kernel was not as protected as that of the current Apple Mac operating system, for example.
The agreement [DOC] is about interoperability and came as Microsoft was subject to European scrutiny. The undertaking seeks a level playing field and includes the following clause:
Microsoft shall ensure on an ongoing basis and in a Timely Manner that the APIs in the Windows Client PC Operating System and the Windows Server Operating System that are called on by Microsoft Security Software Products are documented and available for use by third-party security software products that run on the Windows Client PC Operating System and/or the Windows Server Operating System.
- CrowdStrike's Falcon Sensor also linked to Linux kernel panics and crashes
- CrowdStrike Windows patchpocalypse could take weeks to fix, IT admins fear
- Cybercriminals quickly exploit CrowdStrike chaos
- Life, interrupted: How CrowdStrike's patch failure is messing up the world
In other words, third-party security vendors must get the same access as Microsoft's own products. Which, on the face of it, is fair enough.
However, nothing in that undertaking would have prevented Microsoft from creating an out-of-kernel API for it and other security vendors to use. Instead, CrowdStrike and its ilk run at a low enough level in the kernel to maximize visibility for anti-malware purposes. The flip side is this can cause mayhem should something go wrong.
The Register asked Microsoft if the position reported by the Wall Street Journal was still the IT titan's stance on why a CrowdStrike update for Windows could cause the chaos it did. Redmond has yet to respond.
Windows is far from the only operating system that permits software to run at a level low enough to crash a kernel. However, failures of third-party software running at a low level in Windows can be embarrassingly public, even if Microsoft is not directly to blame. ®