To people who say this is not a Microsoft issue... it absolutely is a Microsoft issue. Microsoft allowed third parties to muck with the Windows kernel in a way that makes the computer unbootable. How is that not a Microsoft issue?
Apple has a vetting process before they will allow an app to be added to their app store. Why doesn't Microsoft have a vetting process before allowing a third party to mess with the Windows kernel? Does Crowdstrike have SOC2 or some other certification to make sure they are following secure practices, with third-party verification that they are following their documented practices? If not, why not? Why doesn't Microsoft require that?
It is clear that the status quo can't continue. Think about the 911 calls that didn't get answered and the surgeries that had to be postponed. How many people lost their lives because of this? How does the industry make sure this doesn't happen again? Just rely on Crowdstrike to get their act together? Is it enough to trust them to do so?
Microsoft can't really "certify" their way out of this. Crowdstrike updates as they find threats; that is, all the time. Microsoft can't perfectly vet every update - they come too fast.
That sounds like an argument towards Microsoft not allowing third party drivers like this, or at least strongly discouraging them and making it clear that it breaks the warranty. Didn't Apple do this with deprecating kexts? (maybe that's not applicable, I don't do a lot of macOS dev)
Auditing every data file update seems just as error/system failure prone as Crowdstrike's process was. I don't see a clear reason why Microsoft would have any better incentive than Crowdstrike here.
I do think that maybe the commercial OS vendor has _some_ support responsibilities to at least warn and discourage customers from using the product in dangerous ways? I mean, it's not like we're talking about a couple people installing bad kernel drivers here, we're talking about a worldwide incident. WHQL seems like an admission that Microsoft knows they need to keep dangerous drivers out of the ecosystem.
Let's say MS does not allow third party drivers at all. Then they would have a monopoly over software drivers and system software like security systems. I doubt regulators would want that.
You can do checkbox exercises all day, won't make a difference.
Nearly all banks have long long lists of certification, they still have extremely bad customer-side security processes because you can "interpret" various guidanecs and pay the right auditors enough to have it ignored.
Right. So the model is broken. You cannot both respond to threats in a timely manner and have Microsoft certify that the update is safe.
That leaves you either not responding quickly or responding with uncertified updates. In the past, we have examples of not responding quickly that took down large chunks of the internet (I don't remember the examples, but they were quite famous at the time). Now we have an example of a fast, uncertified update taking down a large chunk of the internet.
So, given that it can take down much of the internet no matter which we choose, now what do we do?
Crowdstrike didn't have the right processes in place.
What can we do?
Require them to have documented processes, and require periodic (like every 6 months) third-party auditing that they have the right processes, and they are complying with their own processes.
Again, Microsoft doesn't control modules people choose to use and can't assume anything about how they work, much less disable them without operator approval.
Imagine if malware could somehow crash this module - would you be happy about the OS automatically rolling bank introduction of said module, opening your system to vulnerabilities?
the driver in question was tested and passed WHQL. CrowdStrike included functionality in the driver to interpret a downloadable file (similar to an antivirus signature file). The file in the problematic update was malformed, and the CrowdStrike driver did not handle this case properly; Windows was unable to continue given the exception in question[1].
No operating system can guarantee that a driver will never cause the machine to crash. This wasn’t Microsoft’s fault.
Apple has a vetting process before they will allow an app to be added to their app store. Why doesn't Microsoft have a vetting process before allowing a third party to mess with the Windows kernel? Does Crowdstrike have SOC2 or some other certification to make sure they are following secure practices, with third-party verification that they are following their documented practices? If not, why not? Why doesn't Microsoft require that?
It is clear that the status quo can't continue. Think about the 911 calls that didn't get answered and the surgeries that had to be postponed. How many people lost their lives because of this? How does the industry make sure this doesn't happen again? Just rely on Crowdstrike to get their act together? Is it enough to trust them to do so?