The CrowdStrike fiasco has once again focused the spotlight on Microsoft’s Achilles’ heel — security, or rather the lack there of. I have been writing about technology long enough to know that nothing about the Windows operating system surprises me. Over the weekend, The Wall Street Journal outlined a multitude of reasons why the “blue screen of death” (BSOD) reared its ugly head once again.
When reading the article, this stood out to me.
“….as Microsoft pivoted to cloud computing, it has neglected the development of its more traditional products such as Windows and its email and corporate directory service products, all of which have been the targets of attacks. That neglect has made security software—like the kind provided by CrowdStrike—more necessary, the professionals said. “If they have a security-first culture, it would either be safer for products like these to exist or these products wouldn’t be needed at all,” said Dustin Childs, a former Microsoft cybersecurity specialist who is currently the head of threat awareness at cybersecurity firm Trend Micro, which competes with Windows Defender and CrowdStrike.
The reasons why Microsoft (and Windows) continue to grapple with security issues go back to the very beginning of the company’s operating system journey.
- Open design: Windows was designed to be highly customizable and extensible, which eventually helped it gain market dominance but also introduced security vulnerabilities.
- Legacy issues: Windows has a long history of backward compatibility, with roots going back to MS-DOS. This commitment to supporting older software and hardware has led to the accumulation of legacy code.
- Kernel-level access: In 1993, with Windows NT, Microsoft tried to fix some of its problems. The operating system became more stable and secure, but it continued to allow kernel access.
- Complex Ecosystem: Windows started out as a PC operating system but has since morphed into an operating system for many hardware platforms and is used for a multitude of applications. In other words, the Windows world is complex.
- Market Size: The sheer size of its user base has made Microsoft a prime target for cybercriminals and hackers.
- Security Circle of Hell: The sheer size of Microsoft’s installed base and the extent of its security problems have meant that a whole ecosystem of third-party software developers has thrived, ironically introducing a new set of challenges for Microsoft and its customers. The CrowdStrike failure was a perfect example.
Over the past decade, Apple has seen its share of the computer market increase, attracting unwanted attention to the platform. The attacks on the platform will only increase with its growing presence. In 2020, Apple decided it wouldn’t give kernel-level access. While not the most convenient decision for security companies, it has helped keep the “blue screen of death” at bay, at least for now.
Why can’t Microsoft do this? Apart from the aforementioned legacy reasons, Microsoft says it:
“…cannot legally wall off its operating system in the same way Apple does because of an understanding it reached with the European Commission following a complaint. In 2009, Microsoft agreed it would give makers of security software the same level of access to Windows that Microsoft gets.”
That’s quite a statement, considering Microsoft’s security track record. Paul Thurrott, who has been writing about Microsoft and technology for years, points out:
That this outage wasn’t technically Microsoft’s fault is an important fact, but the software giant has always dealt with being the ultimate responsibility, the super parent, of this platform. When things go wrong, customers—the world—blames Microsoft.
But it is further interesting to me that this vulnerability, which impacted less than 1 percent of Windows PCs worldwide and was not an issue for any Windows PC-owning consumers, unfortunately did impact a small but important slice of the business user base, much of which is world-facing. In airports, train stations, hospitals, and all kinds of other places around the world, people are seeing blue screens—recovery screens, not the BSoD—on displays that should be displaying useful or critical information. And while we all chuckle to ourselves when Windows sometimes betrays its existence on these systems in calmer times, this one was serious. And in a sense, blame is beside the point. The conditions that allowed this problem to happen, to escalate the way it did, need to be addressed.
So, if you take Microsoft spokesperson’s comments at face value without judgment, it only reinforces my ongoing arguments that today’s regulators are so woefully out of touch with actual technology and how it all works. They not only fail to understand how it all works, but they can’t even contemplate unintended consequences of their regulations. These regulations are more political theater than doing actual good for consumers.
While European Union regulators may mean well, that doesn’t mean it ends well. Just look at this deal with Microsoft, GDPR or new amorphous rules around artificial intelligence.
July 22, 2024. San Francisco