Last Friday, a major CrowdStrike outage impacted PCs running Microsoft Windows, causing worldwide issues affecting airlines, retailers, banks, hospitals, rail networks, and more. Computers were stuck in continuous recovery loops, rendering them unusable.
The failure was caused by an update to the CrowdStrike Falcon antivirus software that auto-installed on Windows 10 PCs, but Mac and Linux machines were not affected even though they received the same software. A report from The Wall Street Journal delves into what happened and includes some critical information from Microsoft on why Macs did not get taken out by the update.
On Windows machines, CrowdStrike's Falcon security software is a kernel module, which gives the software full access to a PC. The kernel manages memory, processes, files, and devices, and it's basically the heart of the operating system. Much of the software on a PC is typically limited to user mode, where bad code can't cause harm, but software with kernel mode access can cause catastrophic total machine failures, like what was encountered last week.
The Falcon software was not able to wreak similar havoc on Macs because Apple does not give software makers kernel access. In macOS Catalina, which came out in 2019, Apple deprecated kernel extensions and transitioned to system extensions that run in a user space instead of at a kernel level. The change made Macs more stable and more secure, adding protection against unstable software updates like the one CrowdStrike pushed out. It is not possible for Macs to have a similar failure because of the change that Apple made.
In a statement to The Wall Street Journal, Microsoft blamed the European Commission for an inability to offer the same protections that Macs have. Microsoft said that it is unable to wall off its operating system because of an "understanding" with the European Commission. Back in 2009, Microsoft agreed to interoperability rules that provide third-party security apps with the same level of access to Windows that Microsoft gets. Microsoft agreed to provide kernel access in order to resolve multiple longstanding competition law issues in Europe.
Apple has not been forced to make changes to how Macs work, but the European Commission has been targeting the closed nature of iOS, and Apple has warned that the updates that have already been implemented could lead to security risks in the future. The European Union's Digital Markets Act has pushed Apple to allow developers to offer apps through third-party marketplaces and websites. Apple says explicitly that the DMA compromises its ability to "detect, prevent, and take action against malicious apps."
The major CrowdStrike failure that affected Windows PCs highlights some of the unintended consequences and the tradeoffs inherent in legislation that weakens security in the name of open access. CrowdStrike's simple software update impacted global infrastructure, bringing travel, commerce, and healthcare to a standstill.
Microsoft does not seem to have a way to stop a recurrence because it can't cut off kernel access. The company says that significant incidents "are infrequent" and that less than one percent of all Windows machines were impacted. CrowdStrike says that it is "deeply sorry for the inconvenience and disruption," and that in the future, it will share the steps that it is taking to prevent a similar situation.