Planes grounded as mass worldwide IT outage affects airlines, media and banks

When the solution is worse than the problem they need to do something. Over the last 30 years I have had security software cause me way more issues than malware.

 

Dave Farley from Continuous Delivery YouTube channel[1] suggested that maybe AV drivers should also go through some Microsoft QA process just like graphics drivers go through WHQL.
However I wouldn't blame Microsoft too much for that. They tried something similar by introducing UAC that was meant to decrease number of users using Administrator account (or any other in Administrators group) in Windows Vista and there were a lot of pushback from customers instead of approval... Crowd is so stupid, really...
If Microsoft can't even persuade users to not use Administrator account then how can they effectively block access to install kernel-level drivers?

[1] Continuous Delivery https://www.youtube.com/@ContinuousDelivery

 

This might be a good idea, so before you release AV/behavior blocking drivers, it should first be checked by M$.

Well, you can't really compare it, since UAC is the pretty stupid and doesn't really stop most attacks.

Yes, good point. This means that M$ should develop new API's that run in user-mode to give security tools the same capabilities that they now have in kernel-mode, because you wouldn't want to weaken them. But it's probably easier said than done, because let's say malware is capable of running with high privileges, then it will most likely easily be able to terminate security software. Unless Windows gets a complete redesign.

 

It probably should get some kind of redesign. If someone exploits your security software they have higher privilege than you do.

 

The end-game of UAC was to steer software Windows ecosystem to allow users use standard user account (account that is not part of Administrators group) as an everyday account. I would say they eventually get there. I was using SUA in Windows 8/8.1 and Windows 10 during period of 2013-2020 as main account. Yes, I had disabled elevation so I had to go to login screen to do any administrative task needing high-privileges. It was perfectly doable to log in to the Administrator account no more than twice per month. Except first week after Windows installation of course.

Personally I wouldn't go as far as using Window S mode, but it is worth to mention that this mode exists. If one has very basic needs and looking for not having to worry about reliability issues caused by security software, then this mode can be for such person. Crowdstrike Falcon bug was causing BSoDs mostly on enterprise corpo IT devices. Some people may not like to hear it but S mode is an example strategy how to limit risk of BSoDs if similar outage were to happen on SOHO devices.

 

Yes, the idea behind UAC wasn't bad, but in practice it's a major nuisance, I always turn it off. I'm not going to click on hundreds of pointless alerts when running as admin.

But anyway, what we didn't talk about is the fact that apparently you can not turn off auto-update in CrowdStrike Falcon? That alone would be reason enough for me to never install it. There is currently a little bit of beef between CrowdStrike and companies like SentinelOne and Trellix who are saying this would have never happened with their solutions.

 

But the question is, how would this work? I mean, all major security tools use drivers that run in kernel to monitor for malware. Now that I think of it, macOS has apparently stopped supporting kernel extensions and encourages developers to switch to system extensions, who work in user-mode. And apparently SentinelOne fully embraced this move by Apple, see second link. But this would be a pretty major redesign of Windows 12, I doubt it will happen anytime soon, but you never know.

https://addigy.com/blog/key-takeaways-for-system-and-kernel-extensions-on-macos/
https://www.sentinelone.com/blog/go...ed-to-transition-away-from-kernel-extensions/

 

Seems like I'm not the only one who thinks it's totally bonkers to enable auto-update with any security tool, just how dumb are people? I always disable auto-update on all of my apps.

https://www.businessinsider.com/why...microsoft-2024-7?international=true&r=US&IR=T

 

The point is to not run Admin for day-to-day activities. In my experience from 2014-2020 period it was possible to do this on Windows 8/8.1/10 without any major inconvenience. Re-logging to Admin account twice per month is only a minor inconvenience for me.
Unfortunately people nowadays want to maximize convenience... and this is why we can't have nice secure things.

 

Yes, I know that was the point, I'm just saying it's too annoying for me, I rather run as admin. I don't believe UAC is a great way to stop attacks, and not worth the hassle.

But anyway, if Windows would be redesigned to limit access to the kernel, then it would be similar to when they implemented PatchGuard in Windows Vista. I remember I was against this move at first, but I changed my mind, because rootkits were too powerful back then and security tools really don't need to be modifying the Windows kernel, it's bad for stability.

https://en.wikipedia.org/wiki/Kernel_Patch_Protection

 

I hope they will sue the heck out of them and that CrowdStrike will be convicted, they shouldn't be able to get away with this. But I'm sure it will be difficult because they probably got it covered in their contracts, and they will probably get only a slap on the wrist.

https://techcrunch.com/2024/09/02/c...-of-legal-action-from-faulty-software-update/

 

CrowdStrike really doesn't have any shame, at least give this company some compensation?

https://www.cnbc.com/2024/12/17/crowdstrike-moves-to-dismiss-delta-suit-citing-contract-terms.html