Microsoft pins Windows outage on EU-enforced ‘interoperability’ deal

An interoperability deal Microsoft enforced by the European Commission in 2009 may have led the Windows-maker to open itself to the recent CrowdStrike-led outage, according to Microsoft.

In an interview with WSJ, a Microsoft spokesperson indicated the deal could have potentially kept Microsoft from completely locking down the Windows operating system for security purposes. Queries sent to Microsoft however did not elicit a response until the publishing of this article.

The “Interoperability Commitment” Microsoft entered made the company grant security software makers the same access to Windows as Microsoft itself.

“Microsoft shall ensure that third-party software products can interoperate with Microsoft’s Relevant Software Products using the same Interoperability Information on an equal footing as other Microsoft Software Products,” outlined the agreement available as a Doc file on Microsoft’s website.

EU laws mandate open API access

As per the agreement, Microsoft was mandated to provide third-party security software makers access to the APIs used by its security products in Windows Client and Server operating systems. Additionally, Microsoft was asked to document these APIs on the Microsoft Developer Network, except when doing so would create security risks.

The EU has intensified efforts to combat anti-competitive behavior by big tech, making it unlikely to permit Microsoft to further lock down Windows, despite any potential benefits.

Apart from Windows Client and Server operating systems, software makers, under the agreement, are also allowed federated access to Microsoft’s PC productivity applications, SharePoint, Outlook and Exchange, and the.NET framework.

Interestingly, the EU has not been able to arrange such terms with Apple or Google, and both macOS and ChromeOS, respectively remain free from any inclusivity obligations. This may have to do with how different these companies are from Microsoft in terms of their business models. Apple operates closed integration of its software, whereas Google’s open-source Android platform already provides a lot of transparency.

CrowdStrike-led outage was avoidable

While the deal, in itself, aims to ensure a fair competitive environment by enabling third-party software vendors to integrate and operate seamlessly with Microsoft’s products, it isn’t as great from a security viewpoint as it opens critical Microsoft systems to third-party access and may sometimes even lead to a mass disruption as in the case of recent CrowdStrike patch fiasco.

“This highlights the risk of open systems and API access to security vendors mandated by EU laws,” said Pareekh Jain, CEO and lead analyst at Pareekh Consulting. “In the future, lawmakers would need to make a special case for security while advocating open access and a level playing field to security software companies.”

The CrowdStrike outage was caused by a defect found in a Falcon content update for Windows hosts as confirmed by CEO George Kurtz. Without the interoperability obligation, perhaps, Microsoft could’ve had measures in place to stop the update from being pushed to countless Windows machines within just 79 minutes.