Microsoft is working on tighter security measures for Windows after the CrowdStrike disaster

[Alfonso Maruccia]

A hot potato: While still working with CrowdStrike to bring millions of botched PCs back online, Microsoft is also thinking about the future of Windows. The platform must evolve and innovate, enhancing resilience against the next faulty update coming from a third-party company.

The Crowdstrike incident could become a turning point for security across the entire Windows world. Microsoft received a big part of the blame and bad press for a bugged update released by Austin-based security company, and so, the Windows maker has started talking about improving resilience for its operating system. Even if regulatory agreements are saying otherwise, Redmond appears willing to make accessing the Windows kernel significantly more challenging than it is today.

"The Windows ecosystem is a broad, widespread, and open computing platform," Microsoft VP John Cable said in a recent blog post. However, the CrowdStrike fiasco underscores the critical need for reliability within every organization. "Windows must prioritize change and innovation in the area of end-to-end resilience," Cable stated, emphasizing that these changes are necessary to enhance OS security.

The main reason behind the Crowdstrike incident was a faulty update for Falcon Sensor, a vulnerability scanner working at the kernel level to detect and block threats. If a kernel driver crashes due to its own bugs, the entire Windows OS can be brought down despite Microsoft's best efforts to avoid it. Microsoft has criticized European regulators for mandating open kernel access to external security vendors but remains committed to collaborating with partners "who also care deeply about the security of the Windows ecosystem."

Security innovations mentioned by Microsoft include the recently introduced VBS enclave feature, which utilizes Hyper-V and Windows virtualization to isolate individual applications or specific routines in a protected memory region. Additionally, the Microsoft Azure Attestation (MAA) service can help verify the trustworthiness of a platform and the integrity of its binaries files.

Microsoft is carefully choosing its words, but it's clear the company is interested in making Windows more similar to macOS regarding limiting kernel access by external security software.

The "zero trust" approach employed by VBS enclaves and MAA does not depend on kernel access to enhance Windows security, and Microsoft will will keep developing this kind of capabilities despite third-party antivirus programs still mingling with its OS' innermost core.

CrowdStrike's website earlier this week vs. now. Look at what magically disappeared: "Microsoft's security products can't even protect Microsoft. How can they protect you?" ðÂ¥² pic.twitter.com/B98P5m3kjf

– Tom Warren (@tomwarren) July 26, 2024

Microsoft also provided additional guidance on best practices organizations can adopt to improve resilience and avoid another CrowdStrike PC apocalypse. Companies need to implement proper business continuity plans and incident response plans, back up data "securely and often," and ensure they can restore their Windows devices in a short timeframe.

Additional measures such as deployment rings, the latest Windows security default features, and a cloud-native approach to device management should be pursued as well.

Permalink to story:

Microsoft is working on tighter security measures for Windows after the CrowdStrike disaster

 

[NumberNine]

This is the reality of relying on cloud services for critical infrastructure.

 

[maxxcool7421]

Jesus chris all it needs is windows to be ''aware'' there is a bsod loop and then try to replace the driver if it is a microsoft file, or disable if it is not a microsoft driver

 

[Jme Kerul]

This is the reality of relying on cloud services for critical infrastructure.

Nope, it's not employing industry tested and recommend best practices.

Also, focusing on IPO money instead on tested and reliable procedures.

 

[WaphleStomp]

M$ is working to patch security issue ... Uhhmmm????!!!!! isn't that akin to pluggin' a single cell in a screen door on a submarine?

Thanks, M$, but I'll just keep using a secure OS.

 

[i like foxes]

M$ is working to patch security issue ... Uhhmmm????!!!!! isn't that akin to pluggin' a single cell in a screen door on a submarine?

Thanks, M$, but I'll just keep using a secure OS.

I m very pleased with Windows and Defender . Yesterday it neutralized a trojan horse on my PC . I wondered what was happening - slow bootup like 5 min . The virus scan reported nothing but heuristic scan (triggered by itself) caught the maggot .

//the thing that keeps me wondering is where it came from - I use Steam, EA and etc . no pirated software . The sites I visit are safe and secure . I used a trainer - Wemod to progress in a stupid game . I cannot tell .

 

[WaphleStomp]

I m very pleased with Windows and Defender . Yesterday it neutralized a trojan horse on my PC . I wondered what was happening - slow bootup like 5 min . The virus scan reported nothing but heuristic scan (triggered by itself) caught the maggot .

//the thing that keeps me wondering is where it came from - I use Steam, EA and etc . no pirated software . The sites I visit are safe and secure . I used a trainer - Wemod to progress in a stupid game . I cannot tell .

I stopped using Windows 21 years ago ... incidentally, I haven't had a trojan, virus, spyware, worm, adware, hijacker, nor any other malware in 21 years ... coincidence? I think not.

I also don't have to pay for my OS or any other software, and I don't need anti-virus / anti-malware software, network security software, and my firewall, which takes me less than 30 seconds to setup, is more effective than the bloated and convoluted monstrosity in Windows.

Bells & whistles be damned.

 

[i like foxes]

WaphleStomp , Linux is not polished enough for a gaming PC .

 

[WaphleStomp]

WaphleStomp , Linux is not polished enough for a gaming PC .

1) I never stated anything about using my computer for gaming,
2) are you under the false impression the only purpose for a computer is for games?
3) I never said I used Linux.

 

[i like foxes]

WaphleStomp , yep , I use it for gaming , in the past for C++ app development . I need Windows for the games .

 

[WaphleStomp]

WaphleStomp , yep , I use it for gaming , in the past for C++ app development . I need Windows for the games .

I've (sadly) chosen an intentional computer existence of security before fun. It hurt for a while, but after one becomes acquainted with misery, the pain seems insignificant ;o)
I miss gaming, sure - but I do not miss reinstalling, entering key codes, installing anti-malware, malware scanning, being ever-paranoid, and constantly worrying about drive-bys.

 

[hahahanoobs]

I stopped using Windows 21 years ago ... incidentally, I haven't had a trojan, virus, spyware, worm, adware, hijacker, nor any other malware in 21 years ... coincidence? I think not.

I also don't have to pay for my OS or any other software, and I don't need anti-virus / anti-malware software, network security software, and my firewall, which takes me less than 30 seconds to setup, is more effective than the bloated and convoluted monstrosity in Windows.

Bells & whistles be damned.

I haven't had a debilitating virus, crash or update since maybe Windows 7. Currently participating in the W11 Beta Insider program. I paid a whole $12 for a Windows key.

Kinda hard to complain about bloat with 16GB, SSD's and fast CPU's being so common.

Linux is "safe" because no one uses it relative to other operating systems. On Windows, a little education on security goes a long way.

 

[WaphleStomp]

I haven't had a debilitating virus, crash or update since maybe Windows 7. Currently participating in the W11 Beta Insider program. I paid a whole $12 for a Windows key.

Kinda hard to complain about bloat with 16GB, SSD's and fast CPU's being so common.

Linux is "safe" because no one uses it relative to other operating systems. On Windows, a little education on security goes a long way.

16GB OS - too big, way too big, too many vectors. AFAIK, M$ still hasn't patched Windows' IPv6 FW hole. The Windows FW is entirely too difficult for an average non-tech-savvy end user. Windows is a mess, a beautiful mess, yes, but a mess all the same, and impossible to secure - literally impossible.
The myth Linux is secure because no one's using it and no one's writing malware for it is just that, a myth.
The security of Unix-based systems is a different animal than Windows, file permissions are essentially locked and by default require admin permission and PW to install. Stand-alone executables, on most distros, require the user to manually add executable permission to allow files to run.
My main system is far more secure than a hardened GNU/Linux (GL) system, and GL is, IMO, exponentially more secure than any Windows system. I download anything, from anywhere, I visit malicious websites regularly, I open all files without a shred of concern, and I run files on my system known to be infected with viruses. Why, because they can't run on my systems.
And, regardless of any reason GL is more secure than Windows, it's more secure, period.

 

[hahahanoobs]

16GB OS - too big, way too big, too many vectors. AFAIK, M$ still hasn't patched Windows' IPv6 FW hole. The Windows FW is entirely too difficult for an average non-tech-savvy end user. Windows is a mess, a beautiful mess, yes, but a mess all the same, and impossible to secure - literally impossible.
The myth Linux is secure because no one's using it and no one's writing malware for it is just that, a myth.
The security of Unix-based systems is a different animal than Windows, file permissions are essentially locked and by default require admin permission and PW to install. Stand-alone executables, on most distros, require the user to manually add executable permission to allow files to run.
My main system is far more secure than a hardened GNU/Linux (GL) system, and GL is, IMO, exponentially more secure than any Windows system. I download anything, from anywhere, I visit malicious websites regularly, I open all files without a shred of concern, and I run files on my system known to be infected with viruses. Why, because they can't run on my systems.
And, regardless of any reason GL is more secure than Windows, it's more secure, period.

No money in going after 2% of PC's.

 

[WaphleStomp]

No money in going after 2% of PC's.

It's actually around 3% of desktop computers, but regardless of the percentage, it's not avoided due the lack of units, its because of the difficulty to hack a GL desktop compared to a Windows system. Head-to-head I'd give you a full 24 hours to try to hack my computer, full physical access, and you'll never get into it. But I can guarantee you I can get into a W11 system in under 5 minutes. Then there's the online vulnerability aspect; W11, visit one malicious site and it's hooped. On a GL system I could visit every malicious website on the net and never have a problem, ever. Windows has historically always been the least secure OS, and it always will be. GL isn't the most secure, but it's far more secure right now than Windows will be in another 10 years - and that's by design; the monolithicality of Windows is a big part of the problem - too many attack vectors (billions^2), as is the closed-source code, plus add in the, again, historically provable backdoors M$ builds into the OS and you have, again, the security equivalent of a screen door on a submarine.

 

[hahahanoobs]

It's actually around 3% of desktop computers, but regardless of the percentage, it's not avoided due the lack of units, its because of the difficulty to hack a GL desktop compared to a Windows system. Head-to-head I'd give you a full 24 hours to try to hack my computer, full physical access, and you'll never get into it. But I can guarantee you I can get into a W11 system in under 5 minutes. Then there's the online vulnerability aspect; W11, visit one malicious site and it's hooped. On a GL system I could visit every malicious website on the net and never have a problem, ever. Windows has historically always been the least secure OS, and it always will be. GL isn't the most secure, but it's far more secure right now than Windows will be in another 10 years - and that's by design; the monolithicality of Windows is a big part of the problem - too many attack vectors (billions^2), as is the closed-source code, plus add in the, again, historically provable backdoors M$ builds into the OS and you have, again, the security equivalent of a screen door on a submarine.

It has its uses. It's just not ready for the masses.

 

[Squid Surprise]

There are degrees of security... if provided physical access to a machine, a hacker can access ANY OS - various scripts on a USB key will get you in within minutes (often seconds)... Security in this sense is physical - you lock the "computer room" and only allow authorized users access...

The more common type of security is generally thought of as "security" when someone only has internet access to a device - such as when you browse to a suspicious website, open a phony email, etc... assuming you have a decent firewall (non-OS dependant), you are only "insecure" if you don't do something dumb (don't click on the email that says you've won a trip to Tahiti - or claim the grand prize in a lottery you never bought a ticket for!!).

Most viruses/malware are for the second kind - and are written for Windows solely because the VAST majority of PCs have that OS. Windows itself isn't intrinsically more or less secure than any *nix OS - many would (and have) argued that because it's open sourced, *nix PCs are actually much easier to infect - there is just less of a reason to due to numbers.

This changes when the hacking is targeted and intentional. When trying to hack a specific business/website/government, the hackers (almost always state-sponsored) will use layered approaches - often receiving access through a mole or "dupe" within the organization or using set of compromised credentials to gain access to the DB to gain admin access.

Once this is gained, there is almost nothing a hacker can't achieve within the target's network - and Microsoft confirmed that state-sponsored hackers compromised them back in November of 2023... that MS has now had so many issues is almost certainly not a coincidence nor is it "Windows' fault". The fault is almost certainly in the security of MS itself - which probably led to a breach of CrowdStrike which then downed millions of Windows machines. I have heard from some insiders that the downage of all of those machines was actually a smokescreen for the Azure downage that happened at the same time - and that THAT was the true target of the hackers... well, we'll probably never know...

 

[Watzupken]

When you consider the fact that bugs and teething issues are part and parcel of Microsoft's Windows updates, you can imagine if they can ever prevent such an issue from happening. It is preventable if there are proper testings being done and procedures to make sure these are fixed before rolling out. Yet even with users being testers for them, feedback being provided back to Microsoft on broken features, they will still roll the update out in a broken state. So if you ask me, there are major issues with Microsoft to fix, and the problem with CrowdStrike is one of them.

 

[themastergoose]

I stopped using Windows 21 years ago ... incidentally, I haven't had a trojan, virus, spyware, worm, adware, hijacker, nor any other malware in 21 years ... coincidence? I think not.

I also don't have to pay for my OS or any other software, and I don't need anti-virus / anti-malware software, network security software, and my firewall, which takes me less than 30 seconds to setup, is more effective than the bloated and convoluted monstrosity in Windows.

Bells & whistles be damned.

LOL, protection by obscurity only. If Linux had the market share of Windows your answers would be very different.

Linux as a daily OS to drive gaming also completely sucks. Enjoy being the vocal 1% who claim Wine and other such emulations are “perfectly fine”. Why you guys put up with that crap to play games and kid yourselves it’s great I’ll never know. Dual booting Windows for the compatibility really wouldn’t kill you, and would save you so much time and faff.

 

[Dimitriid]

LOL, protection by obscurity only. If Linux had the market share of Windows your answers would be very different.

What if Linux had say, something like 30% of the market share? 40%? Would you say that makes it a desirable target people actively try to exploit? What if it wasn't just 30% But 30% of the best potential group of targets for actually getting something valuable from someone with a track record and the funds to actually pay ransom like big corporations and businesses?

Because that's the Linux market share on servers by the way. Now, I'm not saying Windows Server given a proper sysadmin is anywhere near as weak as your average consumer client, but I am merely saying that Linux is chosen for servers instead of Windows fairly often and arguably for some of the most important, actually physical servers (VMs give the option of a familiar Windows sysadmin environment while the underlying management is done on Linux still) so the people actually in charge of making sure the OSes are solid and there's reasonable number of exploits and responding to them, clearly favor Linux (Or Unix) over Windows at least sometimes and for sometimes critically important tasks like making sure Networking infrastructure stays up even if Windows servers and clients for individual customers might not.

Linux as a daily OS to drive gaming also completely sucks. Enjoy being the vocal 1% who claim Wine and other such emulations are “perfectly fine”. Why you guys put up with that crap to play games and kid yourselves it’s great I’ll never know. Dual booting Windows for the compatibility really wouldn’t kill you, and would save you so much time and faff.

I guess guys like Asus and Lenovo can rest easy knowing their devices will overcome the steam deck any day now: it's not possible that a Linux device single-handedly revitalized a market segment like PC based gaming portables to the point that it created brand new customers wanting to try it, Valve's work with Wine and Linux is not real and people don't actually pick up a Steam Deck and have most of their gaming library work without issues to the point competitors on the Windows side had to catch up months or even years after just to get to the point where Valve launched.

 

[gustisarth]

While Microsoft is looking ahead to improve Windows, the CrowdStrike incident highlights significant issues that shouldn't be overlooked. Millions of botched PCs left users frustrated, and Microsoft took a large portion of the blame for a third-party fault. This situation exposes the weaknesses in their current approach to resilience and security. Despite efforts to innovate, the reliability of Windows updates remains questionable. Enhancing kernel access restrictions might be necessary, but it also reflects poorly on their past decisions and ongoing strategies.

 

[RudyBob]

Nothing is secure no matter how hard people try

 

[Joeg1484]

1) I never stated anything about using my computer for gaming,
2) are you under the false impression the only purpose for a computer is for games?
3) I never said I used Linux.

HAH, it is nice, however, that when someone says they dont use Windows, people automatically assume they use Linux and not Mac ... Thats a huge step for Open Source .

I, however, do use Linux even for Gaming - especially for gaming! Much better than using Windows these days thanks to Gabe and Valve!

 

[user556]

The Crowdstrike failure isn't a security problem. It's a reliability problem. They deployed a bad patch accidentally that magically went to millions of critical Windozes boxes, servers included, completely unsupervised! And by the sounds of it M$ could've easily done the same themselves.

What happened to each of these, sometimes large, companies doing their own testing before deploying? We're just asking for multiple recurring incidents if this doesn't become a priority.

 

[Zcolor]

Microsoft cares about Windows operating systems and making zillions. The end user is not really a concern. I'm just about to move on to Linux Mint, on my laptop, and try out a new Linux operating system on my desktop. However, I do wish Microsoft continued success, so that the would be hackers, will continue to attack Microsoft, leaving Linux, pretty much alone. Not to mention, that Microsoft, is just about as intrusive into our privacy as China-Google is...