The security software CrowdStrike Falcon, which has a big impact on systems and which caused a massive Windows system failure worldwide due to a faulty update last week, also runs on Macs. However, these systems were not affected. The technical basis there is completely different. This includes the fact that so-called endpoint security solutions under macOS can interfere significantly less deeply into the system than under Windows. Well-known security expert Patrick Wardle now comments on the background of Mac & I. He is considered an expert on macOS, but he has also worked with Windows systems for a long time, including for the US secret service NSA.
Advertisement
implemented differently
Security tools are integrated differently on macOS than on Windows. “They typically come in the form of System Extensions invoked, which then runs in user mode and therefore cannot crash the system,” he says. CrowdStrike on macOS is also generally limited to specific Apple APIs and interfaces. “They are significantly less invasive than Windows security tools.”
Of course, there are disadvantages as the tools are then less powerful. “Due to limitations imposed by MacOS/Apple, such tools cannot scan/read the memory of other processes, for example, to detect in-memory exploits, payloads, or implants.”
User mode instead of kernel mode
In general, he appreciates how Apple moved forward. The company essentially abandoned kernel extensions and replaced them with things like system extensions, network extensions, or endpoint security extensions. “These are basically frameworks that allow tools to run in user mode in a privileged or protected environment and are almost as powerful as kernel mode.” Also, these frameworks are only for certain applications, such as endpoint security extensions specifically for security tools. Developers will have fewer problems as a result.
A lot is possible in the kernel under Windows, even though Microsoft has long been offering tools like PatchGuard that prevent you from doing “really crazy things.” “That being said, you can do a lot in the kernel, but the biggest problem is that a single error is enough to crash the system.” And that’s exactly what happened with last Friday’s bad CrowdStrike update.
(B.Sc.)
