A disastrous update from security firm CrowdStrike knocked millions of systems offline on Friday. All of the affected computers were running Windows, but Microsoft said it had no choice but to give CrowdStrike the keys to the deepest foundations of its operating system.

When CrowdStrike rolled out a disastrous update to all its customers on Friday without adequate testing, it was automatically installed on Windows systems. Once installed, the update resulted in a bug that directly affected Windows’ ability to boot normally. An estimated 8.5 million devices were affected worldwide, including systems at NMBS and Brussels Airport in our country.

CrowdStrike is solely responsible for the problem, which has unprecedented global impact, but it is striking that the bad update could bring about complete Windows downfall. After all, most software on Windows can crash without affecting the entire operating system kernel.

No choice for Microsoft

Microsoft itself also points this out. A Redmond spokesman told the Wall Street Journal that they had no other choice and had to grant CrowdStrike deep access to Windows.

This commitment is the result of an agreement with the European Commission in 2009. As is often the case, Microsoft found itself in the spotlight due to antitrust practices. This time, the reason was competition in the security sector.

Commitment to interoperability

Finally, Microsoft develops its own security solutions for Windows and can theoretically grant them privileged access to the operating system. This would make it more difficult for third parties such as CrowdStrike to provide equally powerful security tools. To address these concerns, Microsoft has made a number of promises, including the so-called Commitment to interoperability. This literally means:

“Microsoft ensures that third-party software products can interoperate with relevant Microsoft software products, using the same interoperability information, on a par with other Microsoft software products.”

What this means in concrete terms is explained further in the document:

“Microsoft will ensure, on an ongoing and timely basis, that the APIs in the Windows client PC operating system and the Windows Server operating system that are called by Microsoft security software products are documented and available for use by third-party security software products running the Windows client PC operating system and/or the Windows Server operating system. These APIs will be documented on the Microsoft Developer Network unless open release would create security risks. In such circumstances, Microsoft will grant third-party security providers access to such APIs under a royalty-free license and on fair, reasonable, and non-discriminatory terms.”

Fair competition with major consequences

In other words, in 2009 Microsoft committed to giving external security companies the same access to APIs in Windows as its internal solutions in order to ensure fair competition. According to this principle, CrowdStrike had the right to run deep in the Windows operating system. The APIs in question are linked to the kernel. If something goes wrong, not only the software crashes, but the entire operating system.

This does not mean that the EU is directly responsible. Firstly, CrowdStrike was not careful about the access it had and the responsibility that came with it. Furthermore, Microsoft could also potentially develop alternative APIs that ensure a higher level of protection, although this is more speculation.

Microsoft cites the agreement as the reason why it does not protect Windows to the same extent as Apple does with macOS, for example. This makes Windows more vulnerable to third-party errors.

Disadvantage of openness

The global crash can be seen as a downside of openness. Microsoft is giving the keys to Windows to other parties so that they can compete and innovate. This implies that these parties also have a shared responsibility. If they make a mistake, as they are doing now, it has repercussions at the kernel level of Windows, comparable to a situation where Microsoft made the mistake itself.

The alternative is a closed system without competition, but this does not exclude errors. After all, Microsoft itself is not infallible.