Microsoft plans to limit security products’ access to Windows kernel mode

Microsoft has announced the Windows Resiliency Initiative, aimed at avoiding a repeat of the prolonged worldwide IT outage caused by a buggy CrowdStrike update that took down millions of Windows machines by throwing them into a blue-screen-of-death (BSOD) loop and, in many cases, requiring a manual intervention to restore them.

Windows kernel security vendors

As part of that initiative, the company has announced that its working on Quick Machine Recovery, a feature that “will enable IT administrators to execute targeted fixes from Windows Update on PCs, even when machines are unable to boot, without needing physical access to the PC.”

The feature will be available to the Windows Insider Program community in early 2025.

Windows Resiliency Initiative: Plan of action

To prevent a similar incident from happening again, Microsoft will madate that endpoint security companies that have the deepest integration into Windows:

  • Conduct additional security and compatibility testing of components (e.g., drivers) with each Windows update.
  • Adopt safe deployment practices such as releasing security product updates gradually, leveraging deployment rings, and monitoring the deployment of updates so that negative impact from updates is minimized as much as possible.
  • Collaborate with Microsoft in developing and implementing strengthened incident response processes so they can quickly address future incidents.

“To help our customers and partners increase resilience, we are developing new Windows capabilities that will allow security product developers to build their products outside of kernel mode,” said David Weston, Vice President Enterprise and OS Security at Microsoft.

“This means security products, like anti-virus solutions, can run in user mode just as apps do. This change will help security developers provide a high level of security, easier recovery, and there will be less impact to Windows in the event of a crash or mistake. A private preview will be made available for our security product ecosystem in July 2025.”

And, like Google, Microsoft is committed to adopting safer programming languages and to “gradually moving functionality from C++ implementation to Rust.”

UPDATE (November 20, 2024, 12:20 p.m. ET):

This article has been amended to clear up that the buggy CrowdStrike update did not make affected system “remotely unfixable”, only temporarily unusable as manual action by IT administrators was needed to boot them up again.

“CrowdStrike introduced automated techniques to accelerate remediation on July 22, 2024,” a company spokesperson told Help Net Security.

OPIS OPIS

OPIS

Don't miss