Yep. The geniuses at the EU made it so cloudstrike can bypass Microsoft safeguards entirely and push their own junk directly onto Microsoft systems.
Sigh. No, no they really didn't do that. Please go and look at this web page.
From there, you can download the Word document called "Microsoft Interoperability Undertaking", which is the agreement that Microsoft is claiming "made" it give kernel access to third parties.
Go to Section C, paragraph 42, which is the undertaking concerning security software. Find the bit which mandates kernel access. I'll wait. And I'll be waiting a long time, because no such mandate exists, despte what certain pundits with bees in their bonnet about the EU might have told you.
Um… you might be surprised to learn this, but When noses isn’t MacOS, iOS, etc. it’s designed differently from the ground up and is meant to be extremely extensible.
Literally no developer has complained they didn’t have enough access to core tech.
So when the EU decided to tell MS what to do, it wasn’t so easy as to restrict access to a safer sandbox - we are used to hearing that from Apple. Not Microsoft. Microsoft would have to fundamentally change the entire is from the ground up - which you’ll remember is something they’ve tried and stopped doing in development as it broke all the things the world relied on.
It’s not up to MS to become something else entirely or leave its entrenched users behind. It’s up to the EU to get smart and either reverse some of their stupid decisions or at least rework them to actually work in the real world.
You don’t just take something most of the world uses and tell them how to do stuff without regard for how their products work - and even expect your opinions to force them to abandon their entire customer base and create a new one by creating an entirely different product - which is what your suggesting would require.
Microsoft built a dominant OS which had the ability to accept deep hooks into the OS by its own software such as Office, to provide a performance advantage as well as allowing all the software to work together as if it were all part of the OS.
NEXT THING YOU KNOW, the infamous EU is calling that anticompetitive and forcing them to give EVERYONE that kind of integration.
For a while, it was quiet. But now that something has literally halted the entire world, we hear about it.
So let’s see: Microsoft has its core OS. EVERYTHING WORKS (most of the time…) and businesses are happy.
Developers… develop. With mixed results as per usual.
The EU steps in and orders MS to give developers the SAME unfettered access it has itself.
Sometime later…Boom. The world stops.
The common denominator? The EU.
If that policy wasn’t in place, we wouldn’t have this issue.
The answer isn’t force a tech company to abandon its product and make a new one. The answer is review your failed policy (that wasn’t made by software engineers) and roll back the stupid parts.
MS PR could have been professional and stayed silent. Now they say that the core of Windows is at risk and on a global scale! Add a full attack on authorities for an 18 year old agreement that MS "forgot" to implement. Attacking authorities might work in US. In most other regions this is a 100% PR disaster. MS should be happy that the EU Cyber Resilience Act is not yet in place or the fine would have been 2,5% of global revenue. Stupid PR team.
The problem last week had nothing to do with the EU. It was sloppy coding, sloppy testing and with little to no resilience built into the whole process.
Essentially, yes. Because Microsoft is forced by the EU to allow all external partners equal access to push their security updates, this means mistakes like this can and will happen.
Microsoft is absolutely correct as the EC has appeared to do everything that they can to degrade computing security in the pursuit of some antitrust agenda that only they can try to explain. Microsoft’s error here is in complying, “going along to get along”. Apple has been heroic in attempts to resist and has mostly done so although alternative app stores for iOS will likely prove as dangerous as Apple has suggested. I just wonder how Europeans would feel if these companies simply abandoned these markets. The world cannot afford to let European threaten world security for a third time in a little over a century.
Kernel access is a horrific thing to grant to third parties. The only 1% of machines were affected is irrelevant because the many of the machines affected were servers affected 1000's and 1000's of other users and processes.
The EC once again shows how clueless grandstanding politicians can cause havoc. The EC taking lefts and rights from Apple, Meta and now Microsoft. The only way to beat these ignorant folks is to band together and that’s what looks like is exactly happening. Nice!
The EC is a big risk to Global Security as this bad update could easily have been malicious. Microsoft should let EC demands apply to the EU and not the whole world.
I hope Apple does not give in to their stupid demands. Apple should sell the watered down versions of their products in the EU. People who want the full products can buy from the UK and other non EU countries.
Nothing to do with Microsoft and everything to do with the EU giving unscrupulous developers unfettered access.
There should be a class action suit against the EU from all counties and corporations as well as all individuals affected.
While cloud strike deserves criticism, it’s not really their fault entirely. Any developer will have mistakes. But the big lawmakers, who are trying to steer the world where they want - bear responsibility for throwing the toddlers into the deep end of the pool and then doing nothing when they can’t swim.
Reverse these stupid policies.
my issue is, this was not a mistake if they had tested this on 1 pc, they would have isolated the issue this was not a case of if you this update MAY cause issues it would CERTIANLY cause issues since it references an area of memory that is NOT valid on ANY windows pc running windows 10 or 11
fi this was an issue with users who had Crowdstrike and a specific version of winzip for example then it would be a mistake, because they can't account for all software ever released
but this would have caused a freshly formatted windows 10/11 pc to crash, even if it had ZERO added software
The problem last week had nothing to do with the EU. It was sloppy coding, sloppy testing and with little to no resilience built into the whole process.
The EU made Microsoft allow others to have access to the software. The only way to restrict this to EU customers would have been to create separate versions of the software specific to the EU.
Apple doesn't allow access this deep into the system for anyone which means only Apple gets to mess in this area and test appropriately. It's not an area 3rd parties should be delving into.
The EU made Microsoft allow others to have access to the software. The only way to restrict this to EU customers would have been to create separate versions of the software specific to the EU.
Read the agreement between EU and MS: "We (MS) devised a new engineering approach that will create and extend new kernel level APIs so that PatchGuard will be retained, the security of the kernel will be protected, and yet security vendors will have an opportunity to meet their needs through these kernel level API extensions."
Not that this is the first time. Norton updates have caused a lot of kernel failures on Windows. MS did nothing in 18 years and still you blame EU.
This is an “interesting” response by Microsoft. They are basically saying if they were allowed to follow Apple’s “walled garden” approach and sandbox all non-Microsoft code running at any level then this would not have happened. I think this is a bit disingenuous considering Microsoft’s major claim to fame was their ability to support everyone and anyone’s hardware and software, unlike Apple.
I’m never going to subscribe to some of the anti-Microsoft statements being regurgitated in some of the comments because everyone is entitled to state their opinions. But I’m not going to let Microsoft off the hook either because they can’t have it both ways. Once you sigh up to being the single software platform for bringing the masses of PC makers hardware to the computing world you have to take full responsibility for what you’ve gotten yourself into.
This particular software debacle is truly on CrowdStrike no matter how you slice it. The potential penalties and demands for compensation is going to be in the billions. I can understand why Microsoft wants to get beyond the blast radius of this shit bomb but they are taking the wrong path away from the blast. Don’t go trying to deal with a technical flub up by throwing politics into the mix. Politics never helps anything, even other politics. Microsoft should know better especially with its current pragmatic CEO.
I also think that anyone who’s been deeply involved in software and its complexity understands that there is no such thing as perfection. Once you go beyond a trivial software implementation with zero dependencies the notion of perfection goes out the window. It’s really about trying to put as many safeguards in place and constantly questioning and verifying whether you’ve done enough.
Many software developers have a hard time grasping all of the possible execution paths in even simple functions, especially when exceptions occur and ripple effects cascade through the application and other dependent applications, services, drivers, libraries, kernel functions, etc. Most modern programming languages isolate and abstract so much of what is happening at the lower layers of the operating system, including what’s happening in the CPU itself and hardware interfaces.
When I hear claims of Apple being invulnerable to massively impactful bugs or breaches I know deep down that it’s only a matter of time. It’s not “never,” it’s more like “not yet.” The same thing applies to Apple being beyond the touch of external demands. At some point there will be demands placed on Apple by unyielding authorities. Will Apple bend or exit a market when the bottom line impact on their financial performance is massive? We don’t know yet but Apple is already walking a tightrope in certain markets.
This is basically a golden age of competition in computing platforms and the EC is trying to wreck it.
It's a golden age of competition in computing because the DoJ and EU both took action to rein in Microsoft in the late 90s and early 2000s. Maybe you're not old enough to remember when Microsoft could get away with anything he wanted, but trust me, it wasn't fun. Ask Novell. Or WordPerfect. Or Lotus. All of whom had better products which got steamrollered because Microsoft controlled Windows.
Let’s not forget Netscape, which looked very cool at the time.
Nothing to do with Microsoft and everything to do with the EU giving unscrupulous developers unfettered access.
There should be a class action suit against the EU from all counties and corporations as well as all individuals affected.
While cloud strike deserves criticism, it’s not really their fault entirely. Any developer will have mistakes. But the big lawmakers, who are trying to steer the world where they want - bear responsibility for throwing the toddlers into the deep end of the pool and then doing nothing when they can’t swim.
Reverse these stupid policies.
my issue is, this was not a mistake if they had tested this on 1 pc, they would have isolated the issue this was not a case of if you this update MAY cause issues it would CERTIANLY cause issues since it references an area of memory that is NOT valid on ANY windows pc running windows 10 or 11
fi this was an issue with users who had Crowdstrike and a specific version of winzip for example then it would be a mistake, because they can't account for all software ever released
but this would have caused a freshly formatted windows 10/11 pc to crash, even if it had ZERO added software
And because the EU forced Microsoft to allow any developer to have the same level of access to the OS Microsoft does, you have developers who are human, hurried, make mistakes, are sometime unscrupulous, etc. with access way above their pay grade.
Nothing MS can do without breaking their OS AND COUNTLESS software packages that are entrenched in just as countless number of businesses.
The EU simply needs to recognize the mistake and reverse course. It’s not up to the software company to handicap itself and its partners in order to fix a stupid policy decision.
This is old news, although it will probably happen again.
The question should be, who’s gonna be on the hook for the $Billions demanded in the Class Action Suit?
Surely the Airlines and other Companies that must reimburse their customers and clients will demand damages from everyone involved.
Not to mention all the losses the Carriers are not required to reimburse customers due to limits placed on them by law.
Damages Could be great enough to force some into receivership. The damagees could be given percentages (in stock) of the companies’ assets. This would then diminish the holdings of regular stockholders and investment firms, creating another level of kerfuffle.
I foresee two possibilities!
The first leading to World Wide Depression and downfall the likes of which Western Civilization has never seen.
Of course that’s the worst case scenario.
On the other hand it might just be limited to a small localized event.
The problem last week had nothing to do with the EU. It was sloppy coding, sloppy testing and with little to no resilience built into the whole process.
And MS is expected to maintain separate versions for the EU and the rest of the world? EU directives do affect the whole world where it’s not feasible to wall it off for a region. And allowing security providers who have customers and deal worldwide access only in EU based PCs makes no sense.
The laws are only applicable within the EU.
If they then serve as models for the rest of the world, that's not an EU issue. It's that others thought it was the way to go.
Microsoft could have made EU only changes if necessary and if it deemed those changes would be biting off more than it could chew, it could pull out of the EU.
Clearly, it thought continuing business as usual was the way to go. And it probably thought other jurisdictions were going to suit anyway.
The worldwide outage of Windows PCs was because of companies blindly automatically updating software and disregarding security and safety to save some bucks.
The worldwide outage of Windows PCs was because of companies blindly automatically updating software and disregarding security and safety to save some bucks.
Placing your trust in other people’s hands has always involved risk. It’s also unavoidable because individuals and organizations don’t have the expertise, experience, or knowledge of every problem domain in play to take on all of the responsibilities themselves. People die on the operating table due to medical mistakes and unforeseen circumstances but I’d still rather place my trust in the hands of a trained and experienced doctor and hospital instead of trying to perform surgery on myself in the basement or attending medical school to gain the knowledge I’d need to perform medical procedures on myself.
For a lot of companies any form of IT management and security protection is totally foreign to their primary domain of concern. Should they know better than to defer responsibility to companies like CrowdStrike or Microsoft? Should all companies have an internal team of IT specialists? There is no easy answer, especially when creating a sufficiently competent internal capability at a level that CrowdStrike or Microsoft, however imperfect, can deliver at a cost that’s spread across many other customers.
At the same time companies can’t simply throw up their hands and hoist their surrender flag when it comes to IT because IT is everywhere, it’s unavoidable, and cannot be ignored if you want your company to survive. Over the past couple/few decades many companies have come around to having C-level executives like CIOs and CISOs who own corporate level responsibility for ensuring their company’s IT and security posture is sufficient to protect the company and its stakeholders. Everyone in these positions, and their staff, need to stay on top of what’s going on in the IT sector and be aware of existing, evolving, and potential threats to their business. That’s their job. They also need to have a very clear understanding and plans in place to deal with security breaches and down time, including damage control, workarounds, and recovery. These are not trivial roles just to obtain premium parking spots and financial incentives. When a senior executive hires an outside firm to protect their company’s best interests it does not absolve them from ultimate responsibility any more than the CEO would be forgiven for a disastrous business deal that tanked the company.
Sometimes bad stuff happens and you just have to deal with the consequences. Hopefully you’ll avoid having the same or similar things happening again.
Comments
NEXT THING YOU KNOW, the infamous EU is calling that anticompetitive and forcing them to give EVERYONE that kind of integration.
If that policy wasn’t in place, we wouldn’t have this issue.
MS PR could have been professional and stayed silent. Now they say that the core of Windows is at risk and on a global scale! Add a full attack on authorities for an 18 year old agreement that MS "forgot" to implement. Attacking authorities might work in US. In most other regions this is a 100% PR disaster. MS should be happy that the EU Cyber Resilience Act is not yet in place or the fine would have been 2,5% of global revenue. Stupid PR team.
Microsoft should let EC demands apply to the EU and not the whole world.
I hope Apple does not give in to their stupid demands.
Apple should sell the watered down versions of their products in the EU.
People who want the full products can buy from the UK and other non EU countries.
my issue is, this was not a mistake
if they had tested this on 1 pc, they would have isolated the issue
this was not a case of if you this update MAY cause issues
it would CERTIANLY cause issues since it references an area of memory that is NOT valid
on ANY windows pc running windows 10 or 11
fi this was an issue with users who had Crowdstrike and a specific version of winzip for example
then it would be a mistake, because they can't account for all software ever released
but this would have caused a freshly formatted windows 10/11 pc to crash, even if it had ZERO added software
Apple doesn't allow access this deep into the system for anyone which means only Apple gets to mess in this area and test appropriately. It's not an area 3rd parties should be delving into.
"We (MS) devised a new engineering approach that will create and extend new kernel level APIs so that PatchGuard will be retained, the security of the kernel will be protected, and yet security vendors will have an opportunity to meet their needs through these kernel level API extensions."
Not that this is the first time. Norton updates have caused a lot of kernel failures on Windows.
MS did nothing in 18 years and still you blame EU.
"Society made me what I am."
Surely the Airlines and other Companies that must reimburse their customers and clients will demand damages from everyone involved.
I foresee two possibilities!
The first leading to World Wide Depression and downfall the likes of which Western Civilization has never seen.
On the other hand it might just be limited to a small localized event.
If they then serve as models for the rest of the world, that's not an EU issue. It's that others thought it was the way to go.
Microsoft could have made EU only changes if necessary and if it deemed those changes would be biting off more than it could chew, it could pull out of the EU.
Clearly, it thought continuing business as usual was the way to go. And it probably thought other jurisdictions were going to suit anyway.
For a lot of companies any form of IT management and security protection is totally foreign to their primary domain of concern. Should they know better than to defer responsibility to companies like CrowdStrike or Microsoft? Should all companies have an internal team of IT specialists? There is no easy answer, especially when creating a sufficiently competent internal capability at a level that CrowdStrike or Microsoft, however imperfect, can deliver at a cost that’s spread across many other customers.
At the same time companies can’t simply throw up their hands and hoist their surrender flag when it comes to IT because IT is everywhere, it’s unavoidable, and cannot be ignored if you want your company to survive. Over the past couple/few decades many companies have come around to having C-level executives like CIOs and CISOs who own corporate level responsibility for ensuring their company’s IT and security posture is sufficient to protect the company and its stakeholders. Everyone in these positions, and their staff, need to stay on top of what’s going on in the IT sector and be aware of existing, evolving, and potential threats to their business. That’s their job. They also need to have a very clear understanding and plans in place to deal with security breaches and down time, including damage control, workarounds, and recovery. These are not trivial roles just to obtain premium parking spots and financial incentives. When a senior executive hires an outside firm to protect their company’s best interests it does not absolve them from ultimate responsibility any more than the CEO would be forgiven for a disastrous business deal that tanked the company.
Sometimes bad stuff happens and you just have to deal with the consequences. Hopefully you’ll avoid having the same or similar things happening again.