Global BSOD
- Thread starter Dirk Diggler
- Start date
I posted the wording of the agreement just a few posts above, that simply says Microsoft have to offer the same access to APIs to others that they use themselves for their security products.
If they chose not to develop suitable APIs because it was easier to let their software have direct access, it's on them that they have to offer others the same direct access.
Nothing says 'thou shalt offer kernel access'
Soldato
I think you'll find that's in the new testament, Gareth 1:16
Soldato
Ultimately Crowdstrike FA&FO not having proper functionality in their boot driver to correctly validate 'channel-file' data; if they did then this may not have happened.
Similarly it also appears from current reporting that Microsoft allows signed boot drivers (eg - Crowdstrike's driver) in kernel-space to drag in data from user-space and execute it; you would assume that was a straight up no-no
I imagine Microsoft will be looking into locking down kernel access is future releases.
The TL;DR is, security related API's used by Microsoft should also be made available to third-party vendors and they should be publicly documented unless publication is a risk to security.
Microsoft is trying to save face and as @Murphy and others have stated, this EU agreement wouldn't stop Microsoft securing those API's, just that they have to make them available to others.
Similarly it also appears from current reporting that Microsoft allows signed boot drivers (eg - Crowdstrike's driver) in kernel-space to drag in data from user-space and execute it; you would assume that was a straight up no-no
I imagine Microsoft will be looking into locking down kernel access is future releases.
Worth reading the actual agreement as it tells you exactly what they can and can't do - https://news.microsoft.com/download...osoftInteroperabilityUndertaking16Dec2009.doc.
The TL;DR is, security related API's used by Microsoft should also be made available to third-party vendors and they should be publicly documented unless publication is a risk to security.
Microsoft is trying to save face and as @Murphy and others have stated, this EU agreement wouldn't stop Microsoft securing those API's, just that they have to make them available to others.
Last edited:
Associate
This is the really worrying part, this could have been significantly worse other than a few dodgy files causing a boot loop, what if this backdoor essentially was used maliciously for malware or worse, ransomware. This could have caused an insane amount of damage that could have taken many weeks if not more to recover from.
Last edited:
Associate
Yep, after what we saw on Friday, that possibility has to be on everyone's risk register.
Caporegime
It's not really a backdoor. Everyone involved welcomed CrowdStrike through the front door, and gave them full access to their system - anything you allow that to can wreck your system on any operating system.
***You were warned to drop it***
Anyway, so are you saying in 2009 when the deal was signed that MS Defender (or whatever it was called) was using API's? Or are you saying that MS could have redesigned one of its existing apps to remove the inherent security risk that was caused by the EU agreement?
Still waiting for the furious rebuttal from the EU - MS's comments have been reported globally and they are not normally so coy..
Last edited by a moderator:
Soldato
Whether a third-party could maliciously attack this process is definitely a 'yes, no, maybe' but if the reports are correct then it's seems Crowdstrike opted for this solution because there wasn't another available to them, ie - kernel access whilst providing efficient updates without going through the timely WHQL process.
No doubt Crowdstrike are bolstering there agent/driver to prevent this happening in the future and Microsoft are looking at options to secure this access.
Soldato
Unless there's more to this agreement that hasn't been made public then (again) the gist is simply, any security related API's Microsoft produce(d) within Windows has/had to be publicly documented, where there isn't a risk in doing so, and available to third-party vendors to prevent Microsoft gaining a competitive advantage with their security products by using undocumented or unavailable to third-party access to their OS/platform.
I'm more than happy to be proven wrong but i cannot see, in the published document, where it alludes to or states how secure or unsecure these security API's need(ed) to be.
So if there is an inherent security risk with these API's then that is surely on Microsoft not this agreement with the EU, which is there to prevent anti-competitiveness?
Majority of the reporting on Microsoft's comment appears to stem from the same WSJ article and source but that aside, ultimately Microsoft can blame their part on the incident on whatever or whoever they like. The published EU agreement doesn't seem to support their reasoning/excuse though.
By all means, read the EU agreement yourself, maybe you're able to find something that does
Unless there's more to this agreement that hasn't been made public then (again) the gist is simply, any security related API's Microsoft produce(d) within Windows has/had to be publicly documented, where there isn't a risk in doing so, and available to third-party vendors to prevent Microsoft gaining a competitive advantage with their security products by using undocumented or unavailable to third-party access to their OS/platform.
I'm more than happy to be proven wrong but i cannot see, in the published document, where it alludes to or states how secure or unsecure these security API's need(ed) to be.
So if there is an inherent security risk with these API's then that is surely on Microsoft not this agreement with the EU, which is there to prevent anti-competitiveness?
Majority of the reporting on Microsoft's comment appears to stem from the same WSJ article and source but that aside, ultimately Microsoft can blame their part on the incident on whatever or whoever they like. The published EU agreement doesn't seem to support their reasoning/excuse though.
By all means, read the EU agreement yourself, maybe you're able to find something that does
Maybe start by answeriing my questions rather than designing an irrelevant scenario based on your skim reading of the agreement?
Are you saying in 2009 when the deal was signed that MS Defender (or whatever it was called) was using API's? Or are you saying that MS could have redesigned one of its existing apps to remove the inherent security risk that was caused by the EU agreement?
New Recovery Tool to help with CrowdStrike issue impacting Windows endpoints
Steps for how to access and use the new recovery tool Microsoft created - updated on July 22 and July 21. The tool provides two recovery options to expedite..
techcommunity.microsoft.com
