Microsoft blames Europe for Windows access that allowed CrowdStrike meltdown

“On July 18, CrowdStrike, an independent cybersecurity company, released a software update that began impacting IT systems globally,” wrote David Weston, Microsoft VP of Enterprise and OS Security, two days later. “Although this was not a Microsoft incident, given it impacts our ecosystem, we want to provide an update on the steps we’ve taken with CrowdStrike and others to remediate and support our customers.”

“I want to sincerely apologize directly to all of you for today’s outage,” wrote CrowdStrike Founder and CEO George Kurtz a day earlier. “All of CrowdStrike understands the gravity and impact of the situation. We quickly identified the issue and deployed a fix, allowing us to focus diligently on restoring customer systems as our highest priority. The outage was caused by a defect found in a Falcon content update for Windows hosts. Mac and Linux hosts are not impacted. This was not a cyberattack.”

While primary culpability is clear, it’s still somewhat concerning that the world’s default computing platform can be nuked by a third party in this way. The ramifications have been dramatic, with the airline industry especially hard hit. Reuters reports that US airline Delta had to cancel almost 5,000 flights, leaving thousands of American punters having to enact the plot of Planes, Trains and Automobiles.

Buried at the end of a WSJ report that seeks to explore Microsoft’s security challenges is a comment from an unnamed Microsoft spokesman that claims “it cannot legally wall off its operating system in the same way Apple does because of an understanding it reached with the European Commission following a complaint. In 2009, Microsoft agreed it would give makers of security software the same level of access to Windows that Microsoft gets.” The clear inference being that without that access, this SNAFU doesn't happen.

Most likely the EC action was in response to the launch of Windows Defender and Microsoft Security Essentials, which effectively competed against the numerous third party security software packages that had been developed for decades to protect users from Windows’ many vulnerabilities. The EC has never been a fan of Microsoft using its dominant OS position to gain unfair advantage in other markets.

So while it’s technically accurate to say that CrowdStrike wouldn’t have had that level of access to Windows if the EC hadn’t insisted on it, the apparent alternative would be a Microsoft monopoly of the lucrative cyber security market. And, of course, there’s no guarantee that a Microsoft boffin wouldn’t at some stage make a similar mistake to CrowdStrike’s.

In the above blog post, Weston revealed that less than one percent of Windows machines were affected by the CrowdStrike update, which is some small consolation. But if the access to Windows mandated by Europe didn’t exist and, as a result, Microsoft had a security software monopoly, a similar mistake by Microsoft would presumably affect 100% of Windows machines.

Maybe the WSJ’s Microsoft source was comms lead Frank Shaw. As you can see in his tweet below, while conceding the accuracy of the report he takes issue with its perceived agenda. Below that is a tweet from the CEO of Cloudflare, another major security player, arguing that allowing a Microsoft monopoly of security on Windows is not the right response to this incident.