Blue screens everywhere are Microsoft’s latest tech problem

The flaw was detected simultaneously on millions of computers worldwide on Friday, highlighting both Microsoft’s ubiquity in the workplace and decades-old design choices that have allowed a little-known software company to disable millions of Windows machines. Some security professionals also believe that Microsoft has not taken the vulnerability in its software seriously enough.

Microsoft said in a blog post Saturday that 8.5 million Windows machines were affected, less than 1% of its global footprint. That’s enough to shut down large companies in industries such as healthcare, media and restaurants.

The effects of the crisis continued to be felt at airports Saturday, with U.S. airlines canceling nearly 2,000 flights, down from 3,400 on Friday. Delta, which accounted for more than half of the canceled flights Saturday, has tried to ensure it has crews to cover flights and has asked pilots at major airports to depart when planes are fully loaded and ready to take off safely, regardless of their scheduled departure time.

Friday’s outage was caused by a faulty update sent to enterprise customers by CrowdStrike, one of hundreds of cybersecurity firms that have created a business promising to make Windows more secure. Microsoft has its own competing product, called Windows Defender.

CrowdStrike’s chief executive took responsibility for the issue Friday and said the company was working to restore operations for its customers.

Many people who showed up to work Friday morning knew only one thing: Their PCs had the Blue Screen of Death, while their Macs and Chromebooks were still working. Searches for “Microsoft outage” consistently outpaced “CrowdStrike outage” on Google from Friday morning through Saturday morning.

Friday’s outage highlighted an inherent tradeoff in Windows. Its open design gives developers the freedom to build powerful software that interacts with the operating system at a very deep level. But when things go wrong, the results can be catastrophic, as millions of people discovered Friday.

Because Apple operates a closed ecosystem, the company has a “much healthier balance between forcing people to upgrade, forcing apps to maintain good security practices or removing them from the App Store,” said Amit Yoran, general manager of cybersecurity firm Tenable.

Security issues have long been Microsoft’s Achilles heel, with computers and servers running its software repeatedly targeted for hacks by criminal groups, as well as state-backed actors in Russia and China. Top company executives have been summoned before Congress to explain why Windows is so vulnerable.

Ironically, CrowdStrike CEO George Kurtz publicly raised the issue in January. “What you’re seeing here are systemic failures by Microsoft that are endangering not only their customers but the U.S. government,” he said on CNBC after Microsoft revealed a Russian hack of systems used by its executives.

Two months later, a report from the Department of Homeland Security’s Cyber ​​Safety Review Board found that “Microsoft’s security culture was inadequate and in need of overhaul, particularly in light of the company’s centrality in the technology ecosystem.”

Microsoft said the CrowdStrike crash was not related to concerns raised by federal officials about the company’s security vulnerabilities.

Security professionals who criticize the company’s practices say that in moving to cloud computing, Microsoft has neglected the development of its more traditional products such as Windows and its corporate e-mail and directory products, all of which have been targets of attacks. That neglect has made security software, such as that provided by CrowdStrike, even more necessary, the professionals said.

“If they adopt a security-first culture, it would either be safer for products like these to exist or they wouldn’t be needed at all,” said Dustin Childs, a former Microsoft cybersecurity specialist and now head of threat awareness at Trend Micro, a cybersecurity company. Trend Micro competes with Windows Defender and CrowdStrike.

Pavan Davuluri, Microsoft’s corporate vice president of Windows and devices, said the move to the cloud has been beneficial for software reliability because the operating system is up and running and constantly updated. However, he added that the company faces unique challenges in the tech industry, with a multitude of customers, many of whom are using older versions of Windows running on outdated hardware.

“In Windows, we have a pretty broad range of responsibilities,” Davuluri said. “We absolutely have to meet our customers’ expectations based on their situation: the product itself, its use, its life cycle.”

CrowdStrike’s bug was devastating because its security software, called Falcon, runs at the most central level of Windows, the kernel. So when an update to Falcon caused it to crash, it also destroyed the brains of the operating system. That’s when the blue screen of death appeared.

In 2020, Apple informed developers that its macOS operating system would no longer grant them kernel-level access.

The change was a pain for Apple’s partners, but it also meant a blue screen of death-type problem couldn’t occur on Macs, said Patrick Wardle, general manager of Mac security maker DoubleYou.

“This meant that many third-party developers, including ourselves, had to rewrite our security software,” he said.

A Microsoft spokesman said the company cannot legally block its operating system as Apple does because of a settlement it reached with the European Commission following a complaint. In 2009, Microsoft agreed to give security software makers the same level of access to Windows that Microsoft enjoys.

Alison Sider contributed to this article.

Write to Tom Dotan at tom.dotan@wsj.com and Robert McMillan at robert.mcmillan@wsj.com