Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Microsoft Security

Microsoft Plans Windows Security Overhaul After CrowdStrike Outage 63

Microsoft is stepping up its plans to make Windows more resilient to buggy software [non-paywalled source] after a botched CrowdStrike update took down millions of PCs and servers in a global IT outage. Financial Times: The tech giant has in the past month intensified talks with partners about adapting the security procedures around its operating system to better withstand the kind of software error that crashed 8.5mn Windows devices on July 19. Critics say that any changes by Microsoft would amount to a concession of shortcomings in Windows' handling of third-party security software that could have been addressed sooner.

Yet they would also prove controversial among security vendors that would have to make radical changes to their products, and force many Microsoft customers to adapt their software. Last month's outages -- which are estimated to have caused billions of dollars in damages after grounding thousands of flights and disrupting hospital appointments worldwide -- heightened scrutiny from regulators and business leaders over the extent of access that third-party software vendors have to the core, or kernel, of Windows operating systems. Microsoft will host a summit next month for government representatives and cyber security companies, including CrowdStrike, to discuss "improving resiliency and protecting mutual customers' critical infrastructure," Microsoft said on Friday.
This discussion has been archived. No new comments can be posted.

Microsoft Plans Windows Security Overhaul After CrowdStrike Outage

Comments Filter:
  • by Echoez ( 562950 ) * on Friday August 23, 2024 @10:42AM (#64729222)

    Right now, the core software for Crowdstrike's Falcon run in ring 0, with kernel access. That software goes through Microsoft's quality assurance process. The problem is that this software reads configuration files on disk (such as anti-virus definition files) that don't go through that process.

    It seems like it would be very tricky for Microsoft to have to cover all definition files with the same level as QA as the software itself. The turnaround times for things like antivirus definitions need to happen very quickly. Perhaps Microsoft can have some sort of fast-track QA and approval for these types of updates?

    • by Kobun ( 668169 )
      Better would be to create an Antivirus API and let AV vendors have access to that, instead of direct access to the kernel. It'd also be better if CrowdStrike would write their software so they close off vulnerability to out-of-bounds errors.
    • by g01d4 ( 888748 )

      cover all definition files with the same level as QA as the software itself

      Software not being able to deal with an empty file containing zeros [computerweekly.com] should not pass Microsoft's QA.

    • by unrtst ( 777550 )

      Right now, the core software for Crowdstrike's Falcon run in ring 0, with kernel access. That software goes through Microsoft's quality assurance process. The problem is that this software reads configuration files on disk (such as anti-virus definition files) that don't go through that process.

      It seems like it would be very tricky for Microsoft to have to cover all definition files with the same level as QA as the software itself.

      Important clarification: The problem was NOT one of reading configuration files. If that were the case, it would not be tricky in the least to ensure those can never ever do any critical harm.

      The problem was that the definitions that the ring0 process was using contained p-code that was used within kernel context. That's executing code from an outside source that has not been vetted, and running that within the kernel. IMHO, that code should GTFO of there, or it should go through full review. Otherwise, we'

      • The problem was that the definitions that the ring0 process was using contained p-code that was used within kernel context. That's executing code from an outside source that has not been vetted, and running that within the kernel. IMHO, that code should GTFO of there, or it should go through full review. Otherwise, we're almost certain to have this situation again.

        Oh, we WILL have this problem again. And again. And again.

        Microsoft (For the 837th time): We're really serious about security now. THIS time we REALLY mean it.

    • by gweihir ( 88907 )

      And the second problem is that apparently Falcon does not do proper input validation on config files. A complete fail on their part and a complete fail of whatever quality assurance process Microsoft applied to the kernel module.

      The thing is, and I really have no clue why so many people do not know this, defective input data must _not_ crash a critical piece of software, such as a kernel module. If it does, the software is defective.

      • by Tablizer ( 95088 )

        To fair, having the root-level interpreter do more validation could slow the server down by a notable amount. It seems to me something like DLL's should be used instead, and the DLL's would have been previously checked by the compiler.

        • by gweihir ( 88907 )

          I disagree. So yes, it may be slower. But we just saw nicely what happens eventually when you do not do that validation. And incomplete input validation also provides a nice attack path in far too many cases.

      • And the second problem is that apparently Falcon does not do proper input validation on config files. A complete fail on their part and a complete fail of whatever quality assurance process Microsoft applied to the kernel module.

        I think its cute how you think that Microsoft has ANY quality assurance. They got rid of a lot of their QA people a long time ago. And it has become obvious that any remaining QA people are completely incompetent (or not allowed to do their job by incompetent bosses).

        • by gweihir ( 88907 )

          I don't think they have any. I was responding to somebody that thinks there is some for the kernel modules Microsoft signs.

    • by _merlin ( 160982 )

      Right now, the core software for Crowdstrike's Falcon run in ring 0, with kernel access. That software goes through Microsoft's quality assurance process.

      No it doesn't. There are two ways you can sign a kernel driver to have Windows allow it: ordinary code code signing, and WHQL.

      Ordinary code signing can be done for all drivers. This is what VirtualBox virtual networking drivers use, what OpenVPN's tap-windows6 uses, and what CrowdStrike's Falcon uses. To do this, you obtain a code signing certificate an

      • if Microsoft were to require WHQL certification for all drivers. It would probably kill things like OpenVPN altogether.

        It already killed most OSS hardware driver development. The only OSS Windows hardware drivers made today are either for versions of Windows long out of date that don't mandate WHQL signing for everything, one offs made by some dev who already had an EV cert and was willing to risk it, or projects backed by some company that can afford the annual payments needed to obtain WHQL signatures. That's the whole reason you don't see things like nouveau being built for Windows. It's too expensive for most OSS proje

        • by _merlin ( 160982 )

          They actually dropped the fee for WHQL certification. Initially (back in the Vista days), it was US$250 per driver per OS family. The process is still a pain, although it's better than dealing with Apple's arbitrary and capricious rejections on the iOS App Store.

    • They may be tricky, but given what happened it is essential. I see a Ring 0.5 being introduced that provides a kernel level visibility of the system, but with the memory protections of Ring 1.

      Iâ(TM)d argue that for the most part computers are fast enough these days to allow for memory protected kernel drivers. I see this akin to moving away from SCSI to IDE, for CD-ROMs, when processors reached a certain performance threshold.

  • by Murdoch5 ( 1563847 ) on Friday August 23, 2024 @10:43AM (#64729228) Homepage
    Microsoft admitting through misdirection that this was their fault, at least partially, is very nice to see. If you need to rewrite your software to work in a stable, secure manner, and that causes a sense of dread, fear, or worry, you might need to examine your developments processes / engineering processes.
    • by Virtucon ( 127420 ) on Friday August 23, 2024 @11:25AM (#64729332)

      so you wright a ring-0 device driver that uses untested data files containing p-code and then Microsoft somehow has culpability when it fucks up? The situation happened because the EU said "You have to disclose" and MSFT complied. Crowdstrike not writing well-thought-out code owns 100% of the fiasco. It also exposed stupid companies that don't have a -1 environment with isolation of production systems. You never allow production systems to receive updates that you haven't tested before allowing them into production.

      • Except, the issue was only able to happen due to a fundamental design flaw with Windows. Crowd Strike isn't innocent, but they don't have 100% of the blame, they split that blame with Microsoft.
        • That kernel code can crash the system is... industry standard? Seems like you're just hating. May as well blame Intel for allowing such code to run on their chips or blame academia for never figuring out how to make microkernels fast enough.
          • The fact Microsoft lets random code play in kernel space, is a design flaw. Crowd Strike has no reason or need to be in kernel space, and the fact Microsoft uses a bad kernel design, bad oversight, bad signing and no service isolation, is a flaw with Windows. The fact Microsoft is now starting the discussions on how to make professional an OS, really tells you what you need to know.
        • Except, the issue was only able to happen due to a fundamental design flaw with Windows. Crowd Strike isn't innocent, but they don't have 100% of the blame, they split that blame with Microsoft.

          There's no design flaw. Anything you do at kernel level can crash a system. If you want a system that is completely locked down so you can't even decide how to run software on it anymore, buy a Mac. You want to know what is "worse" (by your definition) than Windows? Literally every open source OS in existence - by its nature.

          • It's a stretch to say every other open source OS is worse by default. If you want to make a change to the Linux or BSD kernel, go ahead, you have the code, unrestricted. Can you do the same on Windows? What Microsoft should do is convert the kernel into a micro-kernel and kick everyone out of it, and only allow third parties to run in user space.
      • by unrtst ( 777550 )

        The situation happened because the EU said "You have to disclose" and MSFT complied.

        Close, but wrong. The EU said they had to provide other antivirus companies with the same level of access that their own antivirus has. This was how MS chose to do it. So yeah, some of the onus is on them.

        TFS/TFA are talking about exactly the sort of decision and implementation that they *could* have done back then. It would have been in compliance with the EU mandate as well, but wouldn't have this issue.

      • "so you wright a ring-0 device driver that uses untested data files containing p-code and then Microsoft somehow has culpability when it fucks up? "

        Yes. Because it written in the OS by Microsoft that they *allow* untested code and code from data files to run in ring-0. And *that* is most definitely their fault.

        • by _merlin ( 160982 )

          Yes. Because it written in the OS by Microsoft that they *allow* untested code and code from data files to run in ring-0. And *that* is most definitely their fault.

          I hate to break this to you, but Linux does as well. You can install your distro's kernel-devel package, compile any broken kernel module you like, and modprobe it straight into ring 0. Your kernel module can load untrusted code from other files into memory and execute it in ring 0. Same is true for most operating systems. Exceptions are thin

          • by unrtst ( 777550 )

            Yes. Because it written in the OS by Microsoft that they *allow* untested code and code from data files to run in ring-0. And *that* is most definitely their fault.

            I hate to break this to you, but Linux does as well. You can install your distro's kernel-devel package ...

            One of the differences that one is by design and one is because anything is possible. MS is saying, "here's how we do it; that's how other antivirus companies can and should do it as well", while AFAIK that is not how those maintaining the Linux kernel would recommend things be done. Yes, you can do anything on Linux; You can even configure it as an immutable installation and completely prevent any loading of any kernel modules (compile them in).

            Please note, I'm not saying MS is 100% to blame, but they are

      • by MeNeXT ( 200840 )

        Every aspect of my servers is disclosed. Every byte of code is disclosed. I never had an incident that affected even one production system in the last 30 years where something updated without me knowing what was going to happen before it happened. Cumbersome bloated code that does everything for everyone at ring-0 is just stupid. Having this update automatically outside your control is even worse than stupid.

        I never feel comfortable with Windows systems. not because I don't know what I'm doing but because t

      • The situation didn't happen due to anything EU said. EU didn't force MS to allow buggy third party kernel code in Windows EU only asked MS to not be anticompetitive, and as always, MS "complied" in a way that was less than perfect.
        .

      • The situation happened because the EU said "You have to disclose" and MSFT complied.

        That sounds like you're blaming the EU for a Microsoft architectural design decision. The reality is the situation happened because Crowdstrike fucked up. We should not be in a world where you are so restricted from running software on your own machine that it can't be crashed. *YOU* should remain the administrator. The EU simply required MS to be a level playing field and publish all relevant information.

        You know what is even worse than that? Everything open source. Imagine how much you can fuck with a sys

      • by jay age ( 757446 )

        Don't buy the rubbish MSFT is spouting about EU deserving any blame. They lie, as per usual.

        Here's what the agreement between MSFT and EC actually says:
        "Microsoft shall ensure on an ongoing basis and in a Timely Manner that the APIs in the Windows Client PC Operating System and the Windows Server Operating System that are called on by Microsoft Security Software Products are documented and available for use by third-party security software products that run on the Windows Client PC Operating System and/or t

    • Re: (Score:2, Informative)

      by Anonymous Coward
      Palladium, Microsoft’s grand scheme from the early 2000s, was often criticized as a potential DRM (Digital Rights Management) nightmare. And while DRM was part of its vision, the real issue was far broader. Palladium was about creating a digital fortress where the software and data on your machine would be subject to external control. It aimed to give Microsoft—and by extension, anyone with the right credentials—a level of control over what you could do with your own hardware. The idea was
      • "dictated by external authorities" I never got along with authority, and they are going to have a real big problem with me. And many others
    • by gweihir ( 88907 )

      Well, yes and no. Obviously MS shares a rather large part of the blame. Obviously, they needed to admit that in some indirect fashion or they could not have announced they will make things better. But let's be real, this is Microsoft. They cannot do secure system design. They have proven that time and again and this time will not be different.

      • They've proven it's hard to secure a general use operating system where the user base ranges from "where's the any key" through to Dunning-Kruger IT / Cybersecurity experts. The right way to handle their transformation, IMO, is to convert to a heavily secured, signed and audited micro-kernel, then push everything else into user space. That way, Crowd Strike 2.0 shouldn't be possible in terms of a total lockout and lockup scenario. From there, I'd work on containerizing the OS, but make it more seamless t
        • Bringing your own data is the entire point of computing. Killing it off so that only app created data is accessible just makes it so that someone else can control when, where, and how much you'll owe per bit, you can compute. Look at modern Android. Apps now have to beg Google for permission to access user provided data that the user instructs them to. Along with big scary mandatory warnings that accessing their SD card on their own orders might give the app access to their SD card's data. It's annoying at
          • Qubes OS already does this successfully, so if Microsoft adopted that style, and made it much more smooth and user focused, they could take the flaming dumpster fire of an OS they have, and turn it into something almost decent. This entire problem happened because Microsoft let random junk run in the kernel, with no checks, and didn't fail-safe, they failed dead. As for your other comment, I hate MacOS, iOS, iPadOS, Apple is not the platform for me, give me Debian, Fedora, Clear, any day of the week.
    • Microsoft admitting through misdirection that this was their fault, at least partially, is very nice to see.

      They are not. In fact Windows already provides more restriction than any open source software with what you can do with your own system, are you saying Linux and BSD are worse for security?

      If you need to rewrite your software

      They aren't re-writing anything. They are proposing implementing restrictions on what you can do with your system even as administrator. This is not a good thing.

      • I would never say BSD and Linux have worse security than Windows, on the contrary Linux and BSD have the gold standards. My other comment was referring to:

        Yet they would also prove controversial among security vendors that would have to make radical changes to their products, and force many Microsoft customers to adapt their software.

        If anyone is worried about changing their software, well, software is meat to be updated, so that's not really a valid concern.

  • by Anonymous Coward

    And it isn't in windows, it isn't in linux.
    It's a microkernel architecture. Tanenbaum was right. Fight me. (Don't actually)

    • NT started out as a microkernel architecture. Linux started out as monolithic. However these days there isn't that much difference between them in that respect.

  • Considering Microsoft renowned expertise in the field of secure and stable software, I can't wait to see what they come up with... on my coworker's machines.

    • so does that mean i can patch on patch tuesday instead of waiting 2 weeks for every one else's computers to break first?

      • Does Microsoft even let you refuse or delay patches anymore? The best I could do on my work Win11 laptop is to make sure the laptop is sleeping / shut down when I'm not at work so it won't update itself behind my back, and telling Windows to fuck off when it interrupts me and nags about needing to update while I'm working

  • as in bypassed by admin or whatever the superuser is called nowadays in Windows. But then it would be useless as any "security" app would request that access, and we're back to square one with more effort and wasted time. And one step closer to removing the choice and getting one step closer to the iOS-ification of the world next time something bad happens.

  • ... and that will be it. For MS to really improve Windows security, they would have to throw the whole mess away and do what Apple did. Somehow I do not see them doing that (yet).

    • They'll never do it because doing so would break everything that keeps people using Windows. There's far too much Windows software out there that will never see another update, for a variety of reasons, that is still used today. Every time Microsoft breaks one, there's more incentive for those affected to try out alternatives. Those alternatives aren't perfect, hell they may not even exist (yet), but occasionally that last one is good enough for someone to switch. Microsoft's biggest fear is the day that th
  • Microsoft is just another word for kludges on top of kludges. Of course unexpected things will happen in that environment.

  • How hard would it be to checkpoint changes, detect boot failure and let the admin roll back to previous working configuration?
  • This Day on Slashdot:

    Windows Is 'Insecure By Design,' Says Washington Post [slashdot.org] Posted by timothy on Sunday August 24, 2003 @11:34PM from the tradeoffs-are-everywhere dept.

    If after 21 years of making several OSes revisions Microsoft still have problems on the security side, (without mentioning problems on all of the other sides too), why would be this time any different. Instead, couldn't it be just a PR stance to keep doing the same thing for another 21 years?

  • I've been watching (and using) them since 1988 and I have never seen a reason to call Microsoft "security conscious. Here we are some 36 years later and they still have serious security issues. (shrug)

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...