Microsoft's Windows kernel: No one intends to build a wall
How to improve Windows security? Microsoft invited security providers to a major consensus summit. The elephant in the room: a locked Windows kernel.
(Image: heise medien)
An awkwardly titled "Windows Endpoint Security Ecosystem Summit" and a groundbreaking decision at Microsoft – seem to go together: Together with security providers, the company has apparently set a new course for the security of the operating system. Microsoft doesn't want to be that clear, but between the lines it looks different.
All of one mind?
First and foremost, it is said to have been an exchange with major players such as Sophos, Broadcom, Trend Micro, Trellix, ESET and SentinelOne. CrowdStrike was also on board, as this summit only took place because of its update disaster and one of the biggest IT outages worldwide. Microsoft was the first to emphasize the responsibility of these security providers and the associated challenges.
As today's IT security is so complex, there are no simple answers. Many options for Windows security are good for customers, as are common standards such as Safe Deployment Practices (SDP). In addition, the aim is to quickly test critical components better, improve cross-vendor compatibility tests and exchange more information overall.
Security elsewhere
In addition to these more management-centric approaches, Microsoft's announcement also hints at a technical reorientation – and this is quite something: security providers are to receive new functions outside the Windows kernel with which their software can do its work. Performance problems outside the kernel level, the protection of the security programs themselves and the necessary sensors between the security software and the kernel were discussed. In addition, the cooperation principles between Microsoft and third-party developers as well as security-by-design goals were defined.
Microsoft now wants to implement all of this in Windows – in coordination with its partners. The goal: improved reliability (the announcement speaks vaguely of "reliability") without making concessions in terms of security.
But what is so groundbreaking about it? Security software can interact directly with the Windows kernel, and gaps or errors in it are correspondingly critical –, as CrowdStrike showed. And even if Microsoft does not explicitly address it, a completely locked kernel could remove this vulnerability. At the same time, Microsoft clearly emphasizes how necessary the security software for Windows is – whose providers, with their not only technical but also economic interests, are sitting right at the table.
What was not said
However, immediately withdrawing access from third-party security developers would not work. Planning and coordination are needed: first such a platform for security software must be designed and built, the providers must convert their software to it and finally all these changes must reach the customers. Only then could Microsoft put up the wall around the Windows kernel.
And although the announcement evokes the close friendship between the companies, there is a telling hint in the quotes from the partners: ESET emphasizes that access to the kernel must remain an option for security software. Who would demand the removal of this access if it had not been discussed?
In addition to this point, the question also arises: why publish such an announcement if the discussion was purely in principle? Although Microsoft emphasizes that no decisions have been made, that they want to be transparent, that they have only discussed key topics and consensus points –, there are too many arguments against this. For one thing, the Windows developers wanted to completely lock down the kernel of the operating system back in 2006. At the time, the security industry vehemently opposed the attempt.
And secondly, security is currently a top priority in Redmond; every employee must now make it their top priority – because the focus on security will influence salaries, bonuses and promotions in the future. In this situation, Microsoft does not invite people to a security summit, discusses it in a few rounds without making any decisions, even makes it public – and then leaves it at that.
Microsoft as primus inter dispares
Other heavyweights such as Cloudflare feared the direction Microsoft would take in terms of security even before the summit: its CEO Matthew Prince warned just under a month ago that Microsoft would block access to the Windows kernel for everyone except Microsoft itself – with corresponding consequences for the performance of the security software. Prince believes that regulatory authorities need to keep an eye on developments. This is probably why Microsoft emphasizes that government representatives attended the summit – It remains unclear which ones, as they are not mentioned in the report.
Microsoft's article about the Windows Endpoint Security Ecosystem Summit can be found on the Windows blog.
(fo)
