In the New York Times coverage of the CrowdStrike update bug that caused havoc starting last Friday, there’s a lovely deadpan line eleven paragraphs in:
Apple and Linux machines were not affected by the CrowdStrike software update.
Even while sympathizing with those directly and indirectly affected, it’s hard not to be a little smug. The larger question is, could a similar kind of problem affect Macs? That would be bad for us Mac users but less so for the world, given that Macs are used in fewer mission-critical situations than Windows-based PCs and may not even be as relied upon as iPads for vertical market tasks like point-of-sale applications, medical record tracking, and education management. What about iPhones? I have less of a sense of how mission-critical they are to businesses and other organizations, but there are certainly millions of individuals whose lives would be upended if their iPhones were suddenly bricked. They would have trouble making calls and texts, taking public transit, making purchases, navigating to unfamiliar destinations, and much more.
At The Eclectic Light Company blog, Howard Oakley examines the possibility of Macs being affected by something similar. He concludes that the likelihood is increasingly unlikely overall and is no longer a significant risk for Apple silicon Macs. On Windows, CrowdStrike’s Falcon sensor code almost certainly runs as a kernel-mode driver with elevated privileges, which is why its bug can prevent a PC from booting successfully. On the Mac, the equivalent approach would require a kernel extension (kext), but Apple deprecated kexts starting in macOS 10.15 Catalina in 2019, pushing developers to use System Extensions instead. Kernel extensions can run on Apple silicon Macs only if the user drops system security to Reduced Security and explicitly allows third-party kexts to load. Don’t do that unless you have a really good reason.
In fact, the Mac version of CrowdStrike’s Falcon sensor reportedly used a kext on Intel-based Macs prior to Big Sur but has since switched to an EndpointSecurity System Extension. System Extensions run with standard user privileges, so even if one suffered from a critical bug, it shouldn’t be able to cause a kernel panic.
What about iOS and iPadOS? They’re even more secure than macOS because they have never allowed kernel extensions and don’t support anything like macOS’s System Extensions. All iOS and iPadOS apps are sandboxed, so they can’t affect the system or any other app. That’s not to say that iOS and iPadOS are perfectly secure or reliable, but they’re certainly among the best consumer-grade operating systems.
Apple devices may not be as vulnerable to a bug in an update to third-party software like CrowdStrike, but that doesn’t mean we can be complacent. Apple itself regularly releases updates, and while it’s essential to install them to patch security vulnerabilities, Apple’s engineers could make a mistake that would cause problems for millions. Howard Oakley’s article reminded me of when an Apple update inadvertently disabled Ethernet (see El Capitan System Integrity Protection Update Breaks Ethernet, 29 February 2016). Apple quickly addressed the problem, but the lack of Ethernet prevented some Macs from getting the revised update, requiring manual intervention.
What should happen to reduce the chances of an outage like this happening again?
Plenty of other lessons could be taken away from the CrowdStrike debacle, but I worry that it will fall out of the headlines too soon for other companies to learn from CrowdStrike’s mistakes.
