Microsoft Exec: Massive Outage Prompted Calls For Alternatives To ‘Kernel Mode’

In the wake of the global Windows outage caused by a faulty CrowdStrike update in July, ‘both our customers and ecosystem partners have called on Microsoft to provide additional security capabilities outside of kernel mode,’ Microsoft’s David Weston says.

In the wake of the CrowdStrike-caused outage that led to widespread societal disruptions in July, Microsoft has faced calls to provide alternative ways for organizations to secure Windows devices “outside of kernel mode,” according to a Microsoft executive.

Kernel access has been pinpointed as a key factor that enabled CrowdStrike’s defective July 19 update to send 8.5 million Windows devices into a “blue screen of death” state.

In a post Thursday, David Weston, vice president of enterprise and OS security at Microsoft, summarized some of the major points discussed during this week's summit of top security vendors, including CrowdStrike.

The summit—held in response to the July outage—took place Tuesday at Microsoft’s headquarters in Redmond, Wash. Along with CrowdStrike, the summit also included executives from SentinelOne, Sophos, Broadcom, ESET, Trellix and Trend Micro.

While the vendors may be “competitors” with each other, “we’re not adversaries,” Weston wrote in the blog post Thursday. “The adversaries are the ones we need to protect the world from.”

Notable discussion topics at the summit included “longer-term steps serving resilience and security goals,” he said.

Already, Weston said, Microsoft has been expanding security capabilities for Windows 11 that don’t require kernel access.

However, “both our customers and ecosystem partners have called on Microsoft to provide additional security capabilities outside of kernel mode,” he wrote.

Participant comments quoted in the blog included a statement from ESET, which said the vendor “supports modifications to the Windows ecosystem that demonstrate measurable improvements to stability, on condition that any change must not weaken security, affect performance, or limit the choice of cybersecurity solutions.”

“It remains imperative that kernel access remains an option for use by cybersecurity products to allow continued innovation and the ability to detect and block future cyberthreats,” ESET said in the statement.

In a statement included in the blog, CrowdStrike executive Drew Bagley described the discussions at this week’s summit as “important.” The ultimate goal is “how best to collaborate in building a more resilient and open Windows endpoint security ecosystem,” Bagley said.

CRN has reached out to CrowdStrike for further comment. Microsoft said in an email Friday that it had no further comment beyond Weston’s post.

In the days after the massive outage in July, Microsoft executive John Cable wrote in a post that the unprecedented incident “shows clearly that Windows must prioritize change and innovation in the area of end-to-end resilience.”

Cable, vice president of Windows servicing and delivery at Microsoft, also touched on the role of third-party access to the Windows kernel at the time. He pointed to recently announced capabilities that “provide an isolated compute environment that does not require kernel mode drivers to be tamper resistant” — which helps to show “what can be done to encourage development practices that do not rely on kernel access.”

The July 19 outage, which had lingering impacts for much of the following week, resulted in impacted devices becoming inoperable until they were fixed manually by an IT professional.

The real-world impacts were wide-ranging—with major disruptions to air travel, health care and many other sectors—and estimates have suggested the costs to major corporations will reach into the billions of dollars.

CrowdStrike has pledged to do additional testing and deploy staged rollouts of updates, with the aim to prevent such issues in the future.