Global BSOD
- Thread starter Dirk Diggler
- Start date
I posted the wording of the agreement just a few posts above, that simply says Microsoft have to offer the same access to APIs to others that they use themselves for their security products.
If they chose not to develop suitable APIs because it was easier to let their software have direct access, it's on them that they have to offer others the same direct access.
Nothing says 'thou shalt offer kernel access'
Soldato
I think you'll find that's in the new testament, Gareth 1:16
Soldato
Ultimately Crowdstrike FA&FO not having proper functionality in their boot driver to correctly validate 'channel-file' data; if they did then this may not have happened.
Similarly it also appears from current reporting that Microsoft allows signed boot drivers (eg - Crowdstrike's driver) in kernel-space to drag in data from user-space and execute it; you would assume that was a straight up no-no
I imagine Microsoft will be looking into locking down kernel access is future releases.
The TL;DR is, security related API's used by Microsoft should also be made available to third-party vendors and they should be publicly documented unless publication is a risk to security.
Microsoft is trying to save face and as @Murphy and others have stated, this EU agreement wouldn't stop Microsoft securing those API's, just that they have to make them available to others.
Similarly it also appears from current reporting that Microsoft allows signed boot drivers (eg - Crowdstrike's driver) in kernel-space to drag in data from user-space and execute it; you would assume that was a straight up no-no
I imagine Microsoft will be looking into locking down kernel access is future releases.
Worth reading the actual agreement as it tells you exactly what they can and can't do - https://news.microsoft.com/download...osoftInteroperabilityUndertaking16Dec2009.doc.
The TL;DR is, security related API's used by Microsoft should also be made available to third-party vendors and they should be publicly documented unless publication is a risk to security.
Microsoft is trying to save face and as @Murphy and others have stated, this EU agreement wouldn't stop Microsoft securing those API's, just that they have to make them available to others.
Last edited:
Associate
This is the really worrying part, this could have been significantly worse other than a few dodgy files causing a boot loop, what if this backdoor essentially was used maliciously for malware or worse, ransomware. This could have caused an insane amount of damage that could have taken many weeks if not more to recover from.
Last edited:
Associate
Yep, after what we saw on Friday, that possibility has to be on everyone's risk register.
Caporegime
It's not really a backdoor. Everyone involved welcomed CrowdStrike through the front door, and gave them full access to their system - anything you allow that to can wreck your system on any operating system.
***You were warned to drop it***
Anyway, so are you saying in 2009 when the deal was signed that MS Defender (or whatever it was called) was using API's? Or are you saying that MS could have redesigned one of its existing apps to remove the inherent security risk that was caused by the EU agreement?
Still waiting for the furious rebuttal from the EU - MS's comments have been reported globally and they are not normally so coy..
Last edited by a moderator:
Soldato
Whether a third-party could maliciously attack this process is definitely a 'yes, no, maybe' but if the reports are correct then it's seems Crowdstrike opted for this solution because there wasn't another available to them, ie - kernel access whilst providing efficient updates without going through the timely WHQL process.
No doubt Crowdstrike are bolstering there agent/driver to prevent this happening in the future and Microsoft are looking at options to secure this access.
Soldato
Unless there's more to this agreement that hasn't been made public then (again) the gist is simply, any security related API's Microsoft produce(d) within Windows has/had to be publicly documented, where there isn't a risk in doing so, and available to third-party vendors to prevent Microsoft gaining a competitive advantage with their security products by using undocumented or unavailable to third-party access to their OS/platform.
I'm more than happy to be proven wrong but i cannot see, in the published document, where it alludes to or states how secure or unsecure these security API's need(ed) to be.
So if there is an inherent security risk with these API's then that is surely on Microsoft not this agreement with the EU, which is there to prevent anti-competitiveness?
Majority of the reporting on Microsoft's comment appears to stem from the same WSJ article and source but that aside, ultimately Microsoft can blame their part on the incident on whatever or whoever they like. The published EU agreement doesn't seem to support their reasoning/excuse though.
By all means, read the EU agreement yourself, maybe you're able to find something that does
Unless there's more to this agreement that hasn't been made public then (again) the gist is simply, any security related API's Microsoft produce(d) within Windows has/had to be publicly documented, where there isn't a risk in doing so, and available to third-party vendors to prevent Microsoft gaining a competitive advantage with their security products by using undocumented or unavailable to third-party access to their OS/platform.
I'm more than happy to be proven wrong but i cannot see, in the published document, where it alludes to or states how secure or unsecure these security API's need(ed) to be.
So if there is an inherent security risk with these API's then that is surely on Microsoft not this agreement with the EU, which is there to prevent anti-competitiveness?
Majority of the reporting on Microsoft's comment appears to stem from the same WSJ article and source but that aside, ultimately Microsoft can blame their part on the incident on whatever or whoever they like. The published EU agreement doesn't seem to support their reasoning/excuse though.
By all means, read the EU agreement yourself, maybe you're able to find something that does
Maybe start by answeriing my questions rather than designing an irrelevant scenario based on your skim reading of the agreement?
Are you saying in 2009 when the deal was signed that MS Defender (or whatever it was called) was using API's? Or are you saying that MS could have redesigned one of its existing apps to remove the inherent security risk that was caused by the EU agreement?
New Recovery Tool to help with CrowdStrike issue impacting Windows endpoints
Steps for how to access and use the new recovery tool Microsoft created - updated on July 22 and July 21. The tool provides two recovery options to expedite..
techcommunity.microsoft.com
not sure that idea, also in earlier linked MS employee video, holds water, usually program stack/data space is managed differently to code areas, for branch prediction/caching etc.
so dynamically modified code isn't allowed, which gives poor code performance too.
So I think the nature of what if any crowdstrike abuse was, is not yet revealed.
Soldato
Did you read the EU agreement, i did post the link, at all? Did you manage to find anything that suggests the EU is at fault and supports Microsoft's comment? You should post the section of the agreement if you did
What i've said is in my replies, hope that helps
Last edited:
Did you read the EU agreement, i did post the link, at all? Did you manage to find anything that suggests the EU is at fault and supports Microsoft's comment? You should post the section of the agreement if you did
What i've said is in my replies, hope that helps
You are just deflecting talking about API's etc - there is no doubt that an alternative solution could have avoided this in the same way as the EU could have designed a better agreement. The issue here is that the EU said that MS had to give competitors the same level of access as its own AV software - which used kernel access not api's - so this is what MS was forced to do. This was in 2009 - since then Ive not seen any accusations of malicious compliance or any investigations to suggest that MS has done anything that the EU didnt specifically require. The EU was clearly happy with the outcome. The EU has done nothing in the last 15 years despite being aware of MS's concerns re security. All the articles suggest MS was not able to make any changes to this agreement or the level of access provided and the EU has so far failed to deny that the agreement was partly responsible for the issue.
So it's really not unreasonable to suggest that the EU is in part culpable for this mess.
Blindly defending some third countries trade organisation that has nothing to do with you is just bizarre. Also I get a lot of you are butt hurt that MS has ruined the Xbox brand etc but regardless this relates to their core business and over regulation that is demonstrably bad for all.
I'm sure when the first EU iphone owner whinges about getting hacked after installing some dodgy 3rd party app that will be Apples fault...
Associate
Aaaaaaaaaanyway, at the risk of interrupting the squabbling, Crowdstrike's response is here:
https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/
https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/
Soldato
Is that not the same as blindly accepting the comment of a company involved in a global incident that is most likely in a little bother attempting to save their own backside, especially to shareholders who no doubt have their own questions, and shift blame elsewhere?
I've never owned an Xbox...
Caporegime
A more intelligent response would be to recognise that Crowdstrike is able to provide protection at all because of this agreement, and that - even including this fubar - that has been a net good for cyber security.
The blame for this lies almost entirely on Crowdstike. Everything else is basically an irrelevance.