Blue screens everywhere are latest tech woe for Microsoft
upgrade, forcing applications to maintain good security practices or they pull them off of the App Store,” said Amit Yoran, chief executive of cybersecurity firm Tenable.
Security issues have long been Microsoft’s Achilles’ heel, as computers and servers running its software have been the target of repeated hacks by criminal groups, as well as state-sponsored actors in Russia and China. Top company executives have been brought in front of Congress to explain why Windows is so vulnerable.
Ironically, CrowdStrike CEO George Kurtz raised the issue publicly in January. “What you’re seeing here is systemic failures by Microsoft, putting not only their customers at risk, but the U.S. government at risk,” he said on CNBC after Microsoft disclosed a Russian hack of systems used by its senior leadership.
Two months later, a report by the Department of Homeland Security’s Cyber Safety Review Board found that, “Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem.”
Microsoft said the CrowdStrike crash was unrelated to the issues raised by federal officials about the company’s lapses in security.
Security professionals critical of the company’s practices say as Microsoft pivoted to cloud computing, it has neglected the development of its more traditional products such as Windows and its email and corporate directory service products, all of which have been the targets of attacks. That
neglect has made security software—like the kind provided by CrowdStrike—more necessary, the professionals said.
“If they have a security-first culture, it would either be safer for products like these to exist or these products wouldn’t be needed at all,” said Dustin Childs, a former Microsoft cybersecurity specialist who is
currently the head of threat awareness at cybersecurity firm Trend Micro. Trend Micro competes with Windows Defender and CrowdStrike.
Pavan Davuluri, Microsoft’s corporate vice president of Windows and devices, said the move to the cloud has been good for software reliability because the operating system is live and constantly updating. But he said the company has unique challenges in the tech industry dealing with an array of customers, many of whom use old versions of Windows running on outdated hardware.
“In Windows we do have a pretty broad range of responsibilities,” Davuluri said. “We definitely have to meet our customers in terms of where they’re at—the product itself, its use, its life cycle.”
CrowdStrike’s bug was so devastating because its security software, called Falcon, runs at the most central level of Windows, the kernel, so when an update to Falcon caused it to crash, it also took out the brains of the operating system. That is when the blue screen of death appeared.
In 2020, Apple told developers that its MacOS operating system would no longer grant them kernel-level access.
That change was a pain for Apple’s partners, but it also meant that a blue screen of death-style problems couldn’t happen on Macs, said Patrick Wardle, the chief executive of Mac security maker DoubleYou.
“What it meant was that a lot of third-party developers, ourselves included, had to rewrite our security software,” he said.
A Microsoft spokesman said it cannot legally wall off its operating system in the same way Apple does because of an understanding it reached with the European Commission following a complaint. In 2009, Microsoft agreed it would give makers of security software the same level of access to Windows that Microsoft gets.