“Certain events must be tapped into at the kernel level and responded to accordingly, but the whole signature matching process doesn’t need to happen there,” Florian Roth, head of research at Nextron Systems, wrote in an X post. “It could reside in another component, limiting the kernel module to essential tasks only.”

Ideally, such privileged access should be governed stringently, ensuring adequately tested, digitally signed software with limited privileges is used,” said Sunil Varkey, advisor at Beagle Security. “Collectively, a new approach to balance between risk and effectiveness is needed.”

Kernel access represents a significant point of vulnerability because it enables deep system-level interactions, which, if exploited, can result in extensive disruptions and breaches. By restricting kernel access, Microsoft aims to minimize the potential for such vulnerabilities.