Windows Blue Screen of Death Issue Caused by CrowdStrike Update and Microsoft's Response
TapTechNews July 29th news, in the past ten days, CrowdStrike and Microsoft have been fully assisting users affected by the large-scale Windows Blue Screen of Death problem. This problem was caused by a faulty update from CrowdStrike. In addition to providing solutions, CrowdStrike has released the preliminary post-incident review report on this outage. According to the report, the Blue Screen of Death was caused by a memory safety issue, and there was an out-of-bounds read access violation in CrowdStrike's CSagent driver.
Microsoft released a detailed technical analysis of this outage caused by the CrowdStrike driver yesterday. Microsoft's analysis confirmed CrowdStrike's finding that the crash was caused by an out-of-bounds memory safety error in CrowdStrike's CSagent.sys driver. The csagent.sys module is registered as a file system filter driver on Windows computers to receive notifications about file operations (including creating or modifying files), which allows security products including CrowdStrike to scan any new files saved to disk.
TapTechNews noted that when the incident occurred, Microsoft received a lot of criticism for allowing third-party software developers to have kernel-level access. In the blog post, Microsoft explained why kernel-level access is provided for security products:
The kernel driver allows system-wide visibility and can be loaded early in the boot process to detect threats such as bootkits and rootkits that can be loaded before user-mode applications.
The kernel driver provides features such as system event callbacks and file filter drivers.
The kernel driver can provide better performance for cases such as high-throughput network activities.
Security solutions want to ensure that their software cannot be disabled by malware, targeted attacks, or malicious insiders, even if these attackers have administrator rights. For this reason, Windows provides Early Launch Anti-Malware (ELAM) early in the boot. However, the kernel driver also requires trade-offs as it operates at the most trusted level of Windows, increasing the risk. Microsoft is also committed to migrating complex Windows core services from kernel mode to user mode, such as font file parsing. Microsoft suggests that security solution providers strike a balance between visibility and tamper-proof requirements and the risks of kernel mode operations. For example, they can use a minimal sensor running in kernel mode for data collection and execution, thereby limiting exposure to availability issues. The remaining functions, such as managing updates, parsing content, and other operations, can be isolated in user mode.
In the blog post, Microsoft also explained the built-in security features of the Windows operating system. These security features provide multiple layers of protection against malware and attack attempts. Microsoft will work with the anti-malware ecosystem through the Microsoft Virus Initiative (MVI) to further improve security and reliability using the built-in security features of Windows.
Microsoft's current plans:
Provide security deployment guidelines, best practices, and techniques to make security product updates safer.
Reduce the need for kernel driver access to important security data.
Provide enhanced isolation and tamper-proof features through recently announced technologies such as VBS Isolation.
Enable zero-trust approaches such as high-integrity authentication, which can determine the security status of a machine based on the health of Windows' native security features.
As of July 25th, more t han 97% of Windows computers affected by this problem have recovered online, and Microsoft is now focusing on preventing such problems in the future. John Cable, Microsoft's vice president of Windows program management, recently published a blog post about the CrowdStrike problem, which mentioned that Windows must prioritize changes and innovations in end-to-end resilience, which is what customers expect from Microsoft.