What I don’t understand is how CrowdStrike has the ability to update the kernel ? Shouldn’t Microsoft only be allowed to touch that delicate part of the operating system ?
exactly. That’s why EV Code Signing Certificates exist!
In order for anyone to write a kernel level driver they have to obtain EV Code Signing Cert and submit it to Microsoft.
What Crowdstrike has done…they submitted one driver, and architected it so that this driver will take the content from a folder and execute, therefore bypassing all the security. Its effectively a “backdoor” to execute anything in kernel, provided by a Cybersecurity company! Crazy!
Watch this video where it explains. MELIH ABDULHAYOGLU .
This does put CISOs in a legal jeapordy if they continue to use Crowdstrike as a product, especially if they are a public company, I believe they have to report to the SEC the usage of Crowdstrike as a " Material Cybersecurity Incidents"…yep…mere usage of it is a Material Cybersecurity Incidents because of that backdoor to Kernel they have architected.
I also put some good info in this post where I have highlighted the exact clause in the EV Code Signing guideline where the problem is “4, a…Only to sign code that complies with the requirements set forth in these guidelines!”
Well, because they dynamically load it after the code is signed, that means the code they are running inside the kernel is NOT compliant with EV Guidelines… Crazy backdoor from the largest cybersecurity vendor bypassing all industry guidelines, bypassing all Microsoft’s guidelines…
I wonder given the devastating effects a buggy kernel driver can have, shouldn’t Microsoft test the driver internally before releasing the certificate? Would it take too much time and money or lack of internal resources?
Microsoft does do test and CABForum has created guidelines on EV Code Signing so that anything running in Kernel goes thru a vigorous process of validation. However Crowdstrike managed to bypass this intentionally!
If you read the below posts it might give you a good picture.
So,if I understand correctly, their driver was approved at the kernel level but was downloading data from outside the kernel to be able to quickly stay up-to-date on new threats without having to update the driver and re-certify it.
“A Microsoft spokesman said it cannot legally lock down its operating system in the same way Apple does because of an understanding it reached with the European Commission following a complaint. In 2009, Microsoft agreed to give security software makers the same level of access to Windows that Microsoft gets.”
Yes, pretty much sums it up!
And now they are trying hard and playing semantics not to accept that point