[German]One more addendum, on a topic taken up in my German blog at the end of July 2024. Microsoft has recently published an analysis of the CrowdStrike incident, which confirms the statements made by Crowdstrike. And there are recommendations on how third-party providers of security software should work. The use of kernel drivers, as was the case with CrowdStrike, is not recommended. It also states that Microsoft wants to improve the "security of Windows".
Microsoft's CrowdStrike analysis
On July 19, 2024, 8.5 million Windows systems failed due to a faulty signature update in the CrowdStrike Falcon security software. Most of them remained in a blue screen loop and could no longer be booted in some cases. Corporate computers were affected, as the above-mentioned CrowdStrike Falcon software is not used by private individuals.
As a result, airports came to a standstill, trains, radio stations, petrol stations, stores and banks were affected. Administrators at the affected companies had to try booting their Windows computers up to 15 times and hope that the faulty update would be replaced by a working version via the Internet. Or manually remove the faulty update from the computers on site and make them work again. I also reported on the problems with Bitlocker recovery key queries in a timely
Microsoft addresses this incident in the article Windows Security best practices for integrating and managing security tools. It largely confirms CrowdStrike's analysis (see CrowdStrike: Investigation report; amount of damages and compensation; attribution of blame).
Kernel architecture and its protection
Many security vendors such as CrowdStrike and Microsoft utilize a kernel driver architecture for several reasons. Kernel drivers enable system-wide visibility and the ability to load on early boot to detect threats such as boot kits and root kits that can load before user-mode applications. In addition, Microsoft provides a variety of features such as system event callbacks for process and thread creation and filter drivers that can watch for events such as file creation, deletion or modification. Kernel activities can also trigger callbacks for drivers to decide when to block activities such as file or process creation. Many vendors also use drivers to collect a variety of network information in the kernel by using the NDIS driver class.
Microsoft is working with third-party security vendors through an industry forum called the Microsoft Virus Initiative (MVI) to ensure compatibility with Windows updates, improve performance, and resolve reliability issues. In addition, all drivers signed by the Microsoft Windows Hardware Quality Labs (WHQL) must undergo a series of tests and undergo a series of quality checks, including using fuzzers, performing static code analysis, and checking runtime drivers.
All WHQL-signed drivers go through Microsoft's acceptance tests and malware scans and must pass these before they are released for signing. If a third-party vendor chooses to distribute their driver via Windows Update (WU), the driver will also go through Microsoft's flighting and phased rollout processes to monitor quality and ensure that the driver meets the necessary quality criteria for wide release.
Recommendations for the future
In the above article and in the Techcommunity article Windows resiliency: Best practices and the path forward, Microsoft describes all the security measures it has implemented in Windows and what it is doing with third-party drivers to ensure security. However, the Techcommunity article also states:
This [CrowdStrike] incident clearly demonstrates that Windows must prioritize change and innovation in the area of end-to-end resilience. These improvements must go hand in hand with ongoing security improvements and be done in close collaboration with our many partners who also care deeply about the security of the Windows ecosystem.
It remains to be seen what will happen at the end of the day. With every version of Windows, Microsoft never tires of claiming that it is "the most secure Windows ever". All in all, however, it can be said that there have always been and still are major bugs. Let me remind you that Secure Boot is useless in many systems because Secure Boot has been provided with a test signature in the UEFI of many motherboards. The site binarly has reported here.
Similar articles:
Worldwide outage of Microsoft 365 (July 19, 2024)
Windows systems throw BSOD due to faulty CrowdStrike update
Why numerous IT systems around the world failed due to two errors on July 19, 2024
CrowdStrike analysis: Why an empty file led to BlueSceen
Review of the CrowdStrike incident, the biggest computer glitch of all time
CrowdStrike incident: sensor failure as a previously unknown side effect?
CrowdStrike: Investigation report; amount of damages and compensation; attribution of blame