A second outage of several Microsoft services in two weeks, this one attributed to a cyber-attack, is fuelling further questions about the underlying security of the Windows operating system.
According to Microsoft: “While the initial trigger event was a Distributed Denial-of-Service (DDoS) attack… initial investigations suggest that an error in the implementation of our defenses amplified the impact of the attack rather than mitigating it.”
Services affected included Outlook, Azure, and Microsoft 365, with some people complaining on social media that they were unable to work. Starbucks customers also reported issues with the Starbucks app in Boston, New York, Washington DC, Dallas, Chicago, Los Angeles, Tampa and other cities. The disruption caused by this latest outage is, however, minor compared with the Windows outage caused by a mishandled CrowdStrike security upgrade, which resulted in canceled flights and marooned passengers in major international airports around the world last week.
But the underlying cause of the outage, a simple old-fashioned DDoS attack, is being seen by some as further evidence that, in their current form, Microsoft’s software products are becoming increasingly difficult to secure in the cyber-age. As long ago as 2020, America’s cyber defense agency, CISA, highlighted critical vulnerabilities in Microsoft operating systems. With 49 security upgrades needed in a single month, so-called ‘patches,’ in one month alone, CISA highlighted the danger of threat actors taking advantage of these flaws before organizations have had sufficient time to apply all the new ‘patches.’
Microsoft lagging behind the cyber-criminals
At around the same time, the US National Security Agency (NSA) issued a strongly-worded warning of a critical vulnerability in Microsoft Windows, “that sophisticated cyber actors will understand the underlying flaw very quickly.”
Since 2020, however, the world’s cyber actors have become far more sophisticated and determined, while Microsoft now appears to be lagging behind the criminals. The long-term flaw in Windows is that, despite Microsoft’s best efforts in the internet age, it was never designed to be an online product. Instead of being created with security in mind from the start, Windows’ massive digital footprint was originally designed with a single end user in mind. Closely monitored in-house local area networks were sometimes used to link PCs in a controlled working environment.
Nevertheless, despite its long-standing cybersecurity shortcomings, Windows has long been the first choice among operating systems for most organizations, making Microsoft one of the most profitable companies in the history of the world. It now remains to be seen how many more global Windows outages will need to take place before businesses and government bodies decide that Windows’ deep-set security flaws outweigh the convenience of ease of inter-operability among Windows users.
