On Friday, it showed up on millions of computers around the world at once, highlighting both Microsoft’s continued ubiquity in workplaces and decades-old design choices that allowed the actions of a little-known software company to disable millions of Windows machines. Some security professionals also say Microsoft hasn’t taken the vulnerability of its software seriously enough.
Microsoft said in a blog post Saturday that 8.5 million Windows machines were hit, or less than 1% of its global footprint. That number was enough to bring down the operations of major businesses across industries including healthcare, media and restaurants.
The effects continued to reverberate in airports Saturday, as U.S. carriers canceled close to 2,000 flights, compared with 3,400 Friday. Delta, which accounted for more than half the canceled flights Saturday, has been trying to make sure it has crews to cover flights and told pilots at hub airports to depart when planes are fully boarded and ready to safely go, no matter the scheduled departure time.
Friday’s outage was caused by a buggy update sent to corporate clients by CrowdStrike, one of hundreds of cybersecurity firms that have built a business promising to make Windows more secure. Microsoft has its own competing product, called Windows Defender.
CrowdStrike’s chief executive took responsibility for the problem Friday and said the company was working to restore operations for its customers.
Many people who showed up at work Friday morning knew only one thing though: Their PCs had the blue screen of death, while Macs and Chromebooks were still working. Searches for “Microsoft outage” outranked “CrowdStrike outage” on Google consistently from Friday morning through Saturday morning.
Friday’s meltdown brought a trade-off inherent to Windows into sharp relief. Its open design gives developers the freedom to design powerful software that interacts with the operating system at a very deep level. But when things go wrong, the results can be catastrophic, as millions discovered on Friday.
Because Apple runs a closed ecosystem, the company has a “much healthier balance between forcing people to upgrade, forcing applications to maintain good security practices or they pull them off of the App Store,” said Amit Yoran, chief executive of cybersecurity firm Tenable.
Security issues have long been Microsoft’s Achilles’ heel, as computers and servers running its software have been the target of repeated hacks by criminal groups, as well as state-sponsored actors in Russia and China. Top company executives have been brought in front of Congress to explain why Windows is so vulnerable.
Ironically, CrowdStrike CEO George Kurtz raised the issue publicly in January. “What you’re seeing here is systemic failures by Microsoft, putting not only their customers at risk, but the U.S. government at risk,” he said on CNBC after Microsoft disclosed a Russian hack of systems used by its senior leadership.
Two months later, a report by the Department of Homeland Security’s Cyber Safety Review Board found that, “Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem.”
Microsoft said the CrowdStrike crash was unrelated to the issues raised by federal officials about the company’s lapses in security.
Security professionals critical of the company’s practices say as Microsoft pivoted to cloud computing, it has neglected the development of its more traditional products such as Windows and its email and corporate directory service products, all of which have been the targets of attacks. That neglect has made security software—like the kind provided by CrowdStrike—more necessary, the professionals said.
“If they have a security-first culture, it would either be safer for products like these to exist or these products wouldn’t be needed at all,” said Dustin Childs, a former Microsoft cybersecurity specialist who is currently the head of threat awareness at cybersecurity firm Trend Micro. Trend Micro competes with Windows Defender and CrowdStrike.
Pavan Davuluri, Microsoft’s corporate vice president of Windows and devices, said the move to the cloud has been good for software reliability because the operating system is live and constantly updating. But he said the company has unique challenges in the tech industry dealing with an array of customers, many of whom use old versions of Windows running on outdated hardware.
“In Windows we do have a pretty broad range of responsibilities,” Davuluri said. “We definitely have to meet our customers in terms of where they’re at—the product itself, its use, its life cycle.”
CrowdStrike’s bug was so devastating because its security software, called Falcon, runs at the most central level of Windows, the kernel, so when an update to Falcon caused it to crash, it also took out the brains of the operating system. That is when the blue screen of death appeared.
In 2020, Apple told developers that its MacOS operating system would no longer grant them kernel-level access.
That change was a pain for Apple’s partners, but it also meant that a blue screen of death-style problems couldn’t happen on Macs, said Patrick Wardle, the chief executive of Mac security maker DoubleYou.
“What it meant was that a lot of third-party developers, ourselves included, had to rewrite our security software,” he said.
A Microsoft spokesman said it cannot legally wall off its operating system in the same way Apple does because of an understanding it reached with the European Commission following a complaint. In 2009, Microsoft agreed it would give makers of security software the same level of access to Windows that Microsoft gets.
Alison Sider contributed to this article.
Write to Tom Dotan at tom.dotan@wsj.com and Robert McMillan at robert.mcmillan@wsj.com