After The Global Blue Screen, Microsoft Decided to Kick Security Out of the Windows Kernel

It is reported that Microsoft is redesigning the way EDR interacts with the Windows kernel to avoid triggering another global blue screen incident.

It is clear that in July 2024, the global blue screen incident caused by the CrowdStrike failure left a very deep memory for Microsoft, prompting the latter to further examine the potential risks of EDR in product design and implementation, especially the risks of interacting with the kernel.

Microsoft announced that it will introduce new platform features in Windows 11 and emphasize that security vendors operate "outside kernel mode" to prevent similar incidents from happening again. Because Microsoft can no longer afford another blue screen incident, it needs to ensure that EDR tools will not cause the entire system to crash or become unstable due to updates or other operations.

Security vendors can run security products without entering kernel mode, which also helps reduce the risk of malware exploiting kernel vulnerabilities and improve overall system security.

Although no specific details have been announced yet, Microsoft's determination to "kick security out of the Windows kernel" this time is already very clear.

As we all know, after experiencing more and more security incidents, Microsoft has put forward the value of "security above all else" in August this year, linking security work with employee performance evaluation and making security a core priority. Microsoft Vice President David Weston also said that this redesign will be seen as part of achieving long-term resilience and security goals.

This means that Microsoft is not only solving the current problem, but also preparing for future security challenges. It can also be inferred that security products will never have the opportunity to re-enter the Windows kernel, and Microsoft will continue to work on new EDR standards and best practices in the future.

As David Weston pointed out at the summit, Windows 11's improved security posture and secure defaults enable the platform to offer solution providers more security capabilities outside of kernel mode, and emphasized that EDR vendors must adopt what Microsoft calls "Secure Deployment Practices (SDPs)" when updating.

A core tenet of SDP is that updates can be deployed in a gradual and phased manner to customers, using "diverse endpoints for controlled rollouts" and providing the ability to pause or roll back updates when necessary.

No wonder some security experts say that this security update is almost Microsoft's way of showing the outside world its attitude and response to the global blue screen incident.

To ensure the security of the newly designed EDR vendor access rights, Microsoft will follow the principle of least privilege and grant only the minimum permissions necessary for the EDR tool to perform its functions to avoid potential risks. By using isolation and sandbox technology, it can be ensured that even if the EDR tool fails, it will not affect other parts of the system. In this way, even if there is a problem with the EDR vendor's software, it will not cause the entire system to crash.

In addition, Microsoft may require EDR vendors to follow the security development lifecycle and regularly review the code of EDR vendors to ensure that their software reflects security in the design, coding, testing and deployment process. By integrating the SIEM system, the activities of EDR tools can also be monitored, abnormal behaviors can be discovered in a timely manner, and corresponding response measures can be taken.

Reference source: https://www.securityweek.com/post-crowdstrike-fallout-microsoft-redesigning-edr-vendor-access-to-windows-kernel/