Yesterday I was hesitant to muddy the waters in this tread when the topic came up, but I guess it’s still an interesting question for many users:
I don’t understand why Microsoft still allows any modification of core system files. That’s like renting out a house lacking locks, telling the renters to ask your cousin Billy for protection, because he once saw a war movie and owns a knife. What could possibly go wrong.
There is no simple answer and a lot to do with history and how things work. And corporate security wants Microsoft to provide security features, even if “subcontracted” to CrowdStrike or others. They count on Microsoft, no longer their own IT organisations, to do the right thing. Not necessarily a prudent decision anymore.
Yeah, makes sense. It’s just… you need CrowdStrike, the clumsy good guy in this picture, because you (Microsoft) leave the doors open for bad guys. Maybe I’m just spoiled by macOS. Change one bit (if you can) and find out. It’s either intact or not. Unless Apple damages it.
Also involved is that over the decades of IT systems (and other technologies) controls evolved to mitigate specific risks. That’s the whole point of Risk and Controls Analysis. But over time, organisations have lost the memory and understanding of the risks and how they are connected to controls. And then when they change (cost reduction, lesser qualified people, etc.) or eliminate controls without understanding (organisationally) the change in risk profile … risk increases. Boom.
Edit: My Scrivener projects full of corporate stuff on Risk and Controls Analysis.
I doubt CrowdStrike could do anything to MacOS, but I wouldn’t be so sure if it were MegaStadium Max Pro.
That’s kind of my point. What would CrowdStrike even do for macOS? It can’t protect the Signed System Volume better than Apple, that’s for sure. Unless I decide to lower the overall system security first to let it do something. I have a hard time wrapping my head around this concept.
There again, it has been affecting Linux systems, so who knows what’ll happen…
(CrowdStrike’s Falcon Sensor linked to Linux crashes, too • The Register)
Microsoft blames European Commission for global CrowdStrike catastrophe
Microsoft has now told the Wall Street Journal that the reason such an update could have a calamitous, global impact, is the fault of the European Commission. Specifically, a spokesperson said that EC agreements mean that Microsoft is not legally allowed to secure its systems the way Apple does.
Reportedly, in 2009, Microsoft agreed with the EC that it would provide equal access to Windows security developers that it has for its own teams. Therefore, CrowdStrike could push out an update without Microsoft necessarily even knowing about it.
This is Microsoft washing its hands of the issue. But it’s also much more than that.
For this is Microsoft effectively saying that it allegedly cannot but certainly will not do anything to prevent this from happening again.
The Wall Street Journal notes that in 2020, Apple told security developers that they would no longerhave what’s called kernel access for their software. Microsoft security developers still have this type of access to Windows.
So, in other words… Windows was more secure before 2009? 
Sure.