What you need to know
- A massive outage caused by a CrowdStrike bug caused 8.5 million PCs to crash and affeted countless people and businesses.
- The outage was caused by a CrowdStrike update with a bug that was able to affect PCs due to the app having kernel access to Windows 11.
- In response to the outage, Microsoft appears to be interested in moving away from security software having Windows 11 kernel access.
The recent CrowdStrike outage caused 8.5 million PCs to crash, affected millions of people, and potentially cost businesses billions of dollars. Referred to by many as the "digital pandemic," the outage has drawn response from CrowdStrike, Microsoft, and security experts. The outage was caused by a CrowdStrike bug, and Microsoft is looking into options that could make similar outages impossible in the future.
"The recent CrowdStrike incident underscores the need for mission-critical resiliency within every organization, and our unique ability to support the change required," said Microsoft's John Cable, vice president of program management for Windows servicing and delivery.
CrowdStrike, and some other pieces of security software, run at a kernel level on Windows 11. That setup gives security tools like CrowdStrike access to a PC's memory and parts of the operating system usually closed off to other applications. This is possible at the moment because kernel access allows a piece of software to monitor a system, but it also means that a faulty driver in something like CrowdStrike can cause a PC to crash.
Cable explained that the recent CrowdStrike outage "shows clearly that Windows must prioritize change and innovation in the area of end-to-end resilience." While Cable did not specifically say that Microsoft will shift security software away from having kernel access, the examples he shared are for security methods that do not require accessing the Windows kernel.
VBS enclaves, which Cable highlighted, does not require kernel access. Microsoft Azure Attestation service is another security measure that could protect systems without putting a PC at the same risks presented by an app having kernel access.
"These examples use modern Zero Trust approaches and show what can be done to encourage development practices that do not rely on kernel access," said Cable. "We will continue to develop these capabilities, harden our platform, and do even more to improve the resiliency of the Windows ecosystem, working openly and collaboratively with the broad security community."
If Microsoft moved away from allowing security apps to have kernel access, a buggy update from CrowdStrike or another app would not be able to cause PCs to crash. Other types of attacks would still be possible, of course, as cybersecurity is incredibly complex, but the specific type of issue that caused the CrowdStrike outage would not be possible.
What was the CrowdStrike outage?
The CrowdStrike outage was an incident that saw 8.5 million PCs crash and show the "Blue Screen of Death" (BSoD). The situation caused planes to be grounded, banks to be affected, and emergency services to go down. It was one of the largest outages of its kind to ever occur, and it will likely have serious ramifications across several sectors.
The outage was caused by a buggy driver update sent out by CrowdStrike, but the issue only affected PCs running Windows. Because of that fact, some called the incidnet the "Microsoft outage." While Microsoft was not directly at fault for the issue, systems running the tech giant's operating system were the ones to crash, so Microsoft has had to look at solutions.
Microsoft released a CrowdStrike recovery tool, which has since been updated to support multiple recovery methods.
Several memes were made about the CrowdStrike outage, and there were people who enjoyed a surprise day off, but the situation was quite serious. There's a good chance that billions of people were affected by the outage, at least indirectly. Businesses have also lost money due to services being down.
