Microsoft Plans Windows Security Overhaul After CrowdStrike Outage 63
Microsoft is stepping up its plans to make Windows more resilient to buggy software [non-paywalled source] after a botched CrowdStrike update took down millions of PCs and servers in a global IT outage. Financial Times: The tech giant has in the past month intensified talks with partners about adapting the security procedures around its operating system to better withstand the kind of software error that crashed 8.5mn Windows devices on July 19. Critics say that any changes by Microsoft would amount to a concession of shortcomings in Windows' handling of third-party security software that could have been addressed sooner.
Yet they would also prove controversial among security vendors that would have to make radical changes to their products, and force many Microsoft customers to adapt their software. Last month's outages -- which are estimated to have caused billions of dollars in damages after grounding thousands of flights and disrupting hospital appointments worldwide -- heightened scrutiny from regulators and business leaders over the extent of access that third-party software vendors have to the core, or kernel, of Windows operating systems. Microsoft will host a summit next month for government representatives and cyber security companies, including CrowdStrike, to discuss "improving resiliency and protecting mutual customers' critical infrastructure," Microsoft said on Friday.
Yet they would also prove controversial among security vendors that would have to make radical changes to their products, and force many Microsoft customers to adapt their software. Last month's outages -- which are estimated to have caused billions of dollars in damages after grounding thousands of flights and disrupting hospital appointments worldwide -- heightened scrutiny from regulators and business leaders over the extent of access that third-party software vendors have to the core, or kernel, of Windows operating systems. Microsoft will host a summit next month for government representatives and cyber security companies, including CrowdStrike, to discuss "improving resiliency and protecting mutual customers' critical infrastructure," Microsoft said on Friday.
Beef Up (Score:1)
https://www.youtube.com/watch?... [youtube.com]
Updates to software running in Ring 0 are tricky (Score:5, Interesting)
Right now, the core software for Crowdstrike's Falcon run in ring 0, with kernel access. That software goes through Microsoft's quality assurance process. The problem is that this software reads configuration files on disk (such as anti-virus definition files) that don't go through that process.
It seems like it would be very tricky for Microsoft to have to cover all definition files with the same level as QA as the software itself. The turnaround times for things like antivirus definitions need to happen very quickly. Perhaps Microsoft can have some sort of fast-track QA and approval for these types of updates?
Re: (Score:2)
Re: (Score:2)
Software not being able to deal with an empty file containing zeros [computerweekly.com] should not pass Microsoft's QA.
Re: (Score:3)
Right now, the core software for Crowdstrike's Falcon run in ring 0, with kernel access. That software goes through Microsoft's quality assurance process. The problem is that this software reads configuration files on disk (such as anti-virus definition files) that don't go through that process.
It seems like it would be very tricky for Microsoft to have to cover all definition files with the same level as QA as the software itself.
Important clarification: The problem was NOT one of reading configuration files. If that were the case, it would not be tricky in the least to ensure those can never ever do any critical harm.
The problem was that the definitions that the ring0 process was using contained p-code that was used within kernel context. That's executing code from an outside source that has not been vetted, and running that within the kernel. IMHO, that code should GTFO of there, or it should go through full review. Otherwise, we'
Re: (Score:1)
The problem was that the definitions that the ring0 process was using contained p-code that was used within kernel context. That's executing code from an outside source that has not been vetted, and running that within the kernel. IMHO, that code should GTFO of there, or it should go through full review. Otherwise, we're almost certain to have this situation again.
Oh, we WILL have this problem again. And again. And again.
Microsoft (For the 837th time): We're really serious about security now. THIS time we REALLY mean it.
Re: (Score:3)
And the second problem is that apparently Falcon does not do proper input validation on config files. A complete fail on their part and a complete fail of whatever quality assurance process Microsoft applied to the kernel module.
The thing is, and I really have no clue why so many people do not know this, defective input data must _not_ crash a critical piece of software, such as a kernel module. If it does, the software is defective.
Re: (Score:1)
To fair, having the root-level interpreter do more validation could slow the server down by a notable amount. It seems to me something like DLL's should be used instead, and the DLL's would have been previously checked by the compiler.
Re: (Score:2)
I disagree. So yes, it may be slower. But we just saw nicely what happens eventually when you do not do that validation. And incomplete input validation also provides a nice attack path in far too many cases.
Re: (Score:1)
And the second problem is that apparently Falcon does not do proper input validation on config files. A complete fail on their part and a complete fail of whatever quality assurance process Microsoft applied to the kernel module.
I think its cute how you think that Microsoft has ANY quality assurance. They got rid of a lot of their QA people a long time ago. And it has become obvious that any remaining QA people are completely incompetent (or not allowed to do their job by incompetent bosses).
Re: (Score:2)
I don't think they have any. I was responding to somebody that thinks there is some for the kernel modules Microsoft signs.
Re: (Score:2)
No it doesn't. There are two ways you can sign a kernel driver to have Windows allow it: ordinary code code signing, and WHQL.
Ordinary code signing can be done for all drivers. This is what VirtualBox virtual networking drivers use, what OpenVPN's tap-windows6 uses, and what CrowdStrike's Falcon uses. To do this, you obtain a code signing certificate an
Re: (Score:2)
if Microsoft were to require WHQL certification for all drivers. It would probably kill things like OpenVPN altogether.
It already killed most OSS hardware driver development. The only OSS Windows hardware drivers made today are either for versions of Windows long out of date that don't mandate WHQL signing for everything, one offs made by some dev who already had an EV cert and was willing to risk it, or projects backed by some company that can afford the annual payments needed to obtain WHQL signatures. That's the whole reason you don't see things like nouveau being built for Windows. It's too expensive for most OSS proje
Re: (Score:2)
They actually dropped the fee for WHQL certification. Initially (back in the Vista days), it was US$250 per driver per OS family. The process is still a pain, although it's better than dealing with Apple's arbitrary and capricious rejections on the iOS App Store.
Re: Updates to software running in Ring 0 are tric (Score:2)
They may be tricky, but given what happened it is essential. I see a Ring 0.5 being introduced that provides a kernel level visibility of the system, but with the memory protections of Ring 1.
Iâ(TM)d argue that for the most part computers are fast enough these days to allow for memory protected kernel drivers. I see this akin to moving away from SCSI to IDE, for CD-ROMs, when processors reached a certain performance threshold.
Re: (Score:2)
This is the right move! (Score:4, Insightful)
Re: (Score:3)
Immutable Linux Distros don't have that problem. Most people don't run immutable Linux though.
MacOS also doesn't have that problem because it is, since Big Sur, an immutable distro.
Re: (Score:2)
Re:This is the right move! (Score:4, Insightful)
so you wright a ring-0 device driver that uses untested data files containing p-code and then Microsoft somehow has culpability when it fucks up? The situation happened because the EU said "You have to disclose" and MSFT complied. Crowdstrike not writing well-thought-out code owns 100% of the fiasco. It also exposed stupid companies that don't have a -1 environment with isolation of production systems. You never allow production systems to receive updates that you haven't tested before allowing them into production.
Re: (Score:2)
Re: This is the right move! (Score:1)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Except, the issue was only able to happen due to a fundamental design flaw with Windows. Crowd Strike isn't innocent, but they don't have 100% of the blame, they split that blame with Microsoft.
There's no design flaw. Anything you do at kernel level can crash a system. If you want a system that is completely locked down so you can't even decide how to run software on it anymore, buy a Mac. You want to know what is "worse" (by your definition) than Windows? Literally every open source OS in existence - by its nature.
Re: (Score:2)
Re: (Score:2)
The situation happened because the EU said "You have to disclose" and MSFT complied.
Close, but wrong. The EU said they had to provide other antivirus companies with the same level of access that their own antivirus has. This was how MS chose to do it. So yeah, some of the onus is on them.
TFS/TFA are talking about exactly the sort of decision and implementation that they *could* have done back then. It would have been in compliance with the EU mandate as well, but wouldn't have this issue.
Re: (Score:2)
"so you wright a ring-0 device driver that uses untested data files containing p-code and then Microsoft somehow has culpability when it fucks up? "
Yes. Because it written in the OS by Microsoft that they *allow* untested code and code from data files to run in ring-0. And *that* is most definitely their fault.
Re: (Score:2)
I hate to break this to you, but Linux does as well. You can install your distro's kernel-devel package, compile any broken kernel module you like, and modprobe it straight into ring 0. Your kernel module can load untrusted code from other files into memory and execute it in ring 0. Same is true for most operating systems. Exceptions are thin
Re: (Score:2)
I hate to break this to you, but Linux does as well. You can install your distro's kernel-devel package ...
One of the differences that one is by design and one is because anything is possible. MS is saying, "here's how we do it; that's how other antivirus companies can and should do it as well", while AFAIK that is not how those maintaining the Linux kernel would recommend things be done. Yes, you can do anything on Linux; You can even configure it as an immutable installation and completely prevent any loading of any kernel modules (compile them in).
Please note, I'm not saying MS is 100% to blame, but they are
Re: (Score:2)
Every aspect of my servers is disclosed. Every byte of code is disclosed. I never had an incident that affected even one production system in the last 30 years where something updated without me knowing what was going to happen before it happened. Cumbersome bloated code that does everything for everyone at ring-0 is just stupid. Having this update automatically outside your control is even worse than stupid.
I never feel comfortable with Windows systems. not because I don't know what I'm doing but because t
Re: This is the right move! (Score:2)
The situation didn't happen due to anything EU said. EU didn't force MS to allow buggy third party kernel code in Windows EU only asked MS to not be anticompetitive, and as always, MS "complied" in a way that was less than perfect.
.
Re: (Score:2)
The situation happened because the EU said "You have to disclose" and MSFT complied.
That sounds like you're blaming the EU for a Microsoft architectural design decision. The reality is the situation happened because Crowdstrike fucked up. We should not be in a world where you are so restricted from running software on your own machine that it can't be crashed. *YOU* should remain the administrator. The EU simply required MS to be a level playing field and publish all relevant information.
You know what is even worse than that? Everything open source. Imagine how much you can fuck with a sys
Re: (Score:1)
Don't buy the rubbish MSFT is spouting about EU deserving any blame. They lie, as per usual.
Here's what the agreement between MSFT and EC actually says:
"Microsoft shall ensure on an ongoing basis and in a Timely Manner that the APIs in the Windows Client PC Operating System and the Windows Server Operating System that are called on by Microsoft Security Software Products are documented and available for use by third-party security software products that run on the Windows Client PC Operating System and/or t
Re: (Score:2, Informative)
Re: (Score:2)
Re: (Score:2)
Well, yes and no. Obviously MS shares a rather large part of the blame. Obviously, they needed to admit that in some indirect fashion or they could not have announced they will make things better. But let's be real, this is Microsoft. They cannot do secure system design. They have proven that time and again and this time will not be different.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Microsoft admitting through misdirection that this was their fault, at least partially, is very nice to see.
They are not. In fact Windows already provides more restriction than any open source software with what you can do with your own system, are you saying Linux and BSD are worse for security?
If you need to rewrite your software
They aren't re-writing anything. They are proposing implementing restrictions on what you can do with your system even as administrator. This is not a good thing.
Re: (Score:2)
Yet they would also prove controversial among security vendors that would have to make radical changes to their products, and force many Microsoft customers to adapt their software.
If anyone is worried about changing their software, well, software is meat to be updated, so that's not really a valid concern.
Re: (Score:2)
Re: (Score:2)
We already have the solution (Score:1)
And it isn't in windows, it isn't in linux.
It's a microkernel architecture. Tanenbaum was right. Fight me. (Don't actually)
Re: (Score:2)
NT started out as a microkernel architecture. Linux started out as monolithic. However these days there isn't that much difference between them in that respect.
Microsoft will implement security. Yeah... (Score:2)
Considering Microsoft renowned expertise in the field of secure and stable software, I can't wait to see what they come up with... on my coworker's machines.
more resilient to buggy software... (Score:2)
so does that mean i can patch on patch tuesday instead of waiting 2 weeks for every one else's computers to break first?
Re: (Score:2)
Does Microsoft even let you refuse or delay patches anymore? The best I could do on my work Win11 laptop is to make sure the laptop is sleeping / shut down when I'm not at work so it won't update itself behind my back, and telling Windows to fuck off when it interrupts me and nags about needing to update while I'm working
Re: (Score:2)
your admin is way too lax to allow you control :)
As long as it can be easily bypassed I'm fine... (Score:2)
as in bypassed by admin or whatever the superuser is called nowadays in Windows. But then it would be useless as any "security" app would request that access, and we're back to square one with more effort and wasted time. And one step closer to removing the choice and getting one step closer to the iOS-ification of the world next time something bad happens.
They clearly will fake something... (Score:2)
... and that will be it. For MS to really improve Windows security, they would have to throw the whole mess away and do what Apple did. Somehow I do not see them doing that (yet).
Re: (Score:2)
complexity (Score:2)
Microsoft is just another word for kludges on top of kludges. Of course unexpected things will happen in that environment.
Recover (Score:2)
Windows Is 'Insecure By Design (Score:2)
This Day on Slashdot:
Windows Is 'Insecure By Design,' Says Washington Post [slashdot.org] Posted by timothy on Sunday August 24, 2003 @11:34PM from the tradeoffs-are-everywhere dept.
If after 21 years of making several OSes revisions Microsoft still have problems on the security side, (without mentioning problems on all of the other sides too), why would be this time any different. Instead, couldn't it be just a PR stance to keep doing the same thing for another 21 years?
Microsoft & security in the same sentence? (Score:2)