macOS-CrowdStrike: Why a catastrophe like Windows should not happen

The security solution CrowdStrike Falcon is also available for Apple hardware. However, it is controlled differently there. Fortunately, says Patrick Wardle.

Save to Pocket listen Print view
Stylized image: Laptop with burning screen, Whitehat sits in front of it and counts money

(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)

2 min. read

The highly intrusive CrowdStrike Falcon security software, which led to massive Windows system failures worldwide last week due to a faulty update, also runs on the Mac. However, these systems were not affected. The technical basis there is completely different. This includes the fact that so-called endpoint security solutions under macOS can intervene much less deeply in the system than is the case under Windows. Well-known security expert Patrick Wardle has now told Mac & i. He is an expert in macOS, but has also worked with Windows systems for a long time, including for the US intelligence agency NSA.

Security tools are integrated differently in macOS than in Windows. "They are usually implemented in the form of system extensions, which then run in user mode and therefore cannot crash the system," he says. CrowdStrike under macOS is also generally limited to specific Apple APIs and interfaces. "They are therefore significantly less invasive than Windows security tools."

Of course, this also has disadvantages because the tools are then less powerful. "Due to the restrictions imposed by macOS/Apple, such tools cannot scan/read the memory of other processes, for example, in order to detect in-memory exploits, payloads or implants."

In general, however, he appreciates the way Apple has proceeded. The company had basically abandoned kernel extensions and replaced them with things like system extensions, network extensions or extensions for endpoint security. "These are basically frameworks that allow tools in user mode to run in privileged or protected environments and are almost as powerful as in kernel mode." At the same time, however, these frameworks are only intended for certain applications, endpoint security extensions specifically for security tools, for example. Developers would therefore have fewer problems.

Under Windows, a lot is possible in the kernel, even if Microsoft has long offered tools such as PatchGuard, which prevent "really crazy things" from being done. "Apart from that, you can do a lot in the kernel, but the biggest problem is that a single error is enough to crash the system." And that's exactly what happened with the buggy CrowdStrike update last Friday.

Empfohlener redaktioneller Inhalt

Mit Ihrer Zustimmmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.

Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.

(bsc)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.