Microsoft Corp. claims a 15-year-old agreement with the European Commission is to blame for Friday’s calamitous security update that plunged millions of PCs worldwide into the worst IT outage ever.

At the core of its argument is this tantalizing and terrifying notion: Is security being sacrificed for competition?

The software juggernaut on Monday said the accord hindered it from making security changes that would have blocked the update from CrowdStrike Inc. that set into motion a digital disaster that impacted airlines, hospitals, banks and other industries from North America to Europe, Asia, the Middle East and Australia.

Microsoft offers an alternative to CrowdStrike known as Windows Defender, but the 2009 deal allows multiple security providers to install software at the kernel level amid the European Commission’s concerns that Windows software gave Microsoft an unfair competitive advantage in software. As a result, Microsoft must share its APIs for Windows Client and Server operating systems with third-party security software developers.

While Apple blocked access to the kernel in 2020, Microsoft told the Wall Street Journal that it was unable to because of the EU deal. Google is also not bound by similar regulations.

“An open kernel is good for competition but horrible for security,” Frank Dickson, vice president of security and trust at market researcher IDC, said in a phone interview.

Dickson cites similar incidents to what happened Friday to 2010, when McAfee had an issue with a DAT file that caused a reboot loop and loss of network access on Windows XP SP3 systems, and in 2017, when Webroot released an update that misidentified Windows system files as malware and Facebook as a phishing site.

Despite Microsoft’s protestations and the scope of Friday’s historic meltdown, the EU is unlikely to grant the company permission to restrict certain developer access. European regulators are scrutinizing the company’s bundling of Teams within Microsoft 365 and its cloud-computing business.

Nor should Microsoft be allowed to use a more than decade-old accord to avoid responsibility, say some cybersecurity experts.

“Arguably, Microsoft’s success was largely because they were [an] open [ecosystem] because they were running on IBM machines back in the day,” Ameesh Divatia, chief executive and co-founder of data security startup Baffle, said in a phone interview.

“There needs to be regulation of upgrades, region by region, given the interconnected world running on mission-critical software,” added Divatia. “Planes are grounded, which is pretty dangerous. We should look at how often you upgrade and when. And Microsoft is notorious for forcing upgrades.”

Meanwhile, the stakes are only increasing as nation-states note the vulnerabilities of global infrastructure more dependent on data-rich AI systems.

“Regulation overseas is only going to get harder,” Divatia warned.

Indeed, Apple is delaying three AI features in Europe — iPhone Mirroring, SharePlay Screen Sharing and Apple Intelligence — until 2025 over concerns about EU competition rules.  The new Digital Markets Act has already forced the company to allow alternative app stores and web browser engines on the iPhone. Apple has claimed the changes will make the iPhone less safe.

Techstrong TV

Click full-screen to enable volume control
Watch latest episodes and shows

Tech Field Day Extra at Cisco Live EMEA

SHARE THIS STORY

RELATED STORIES