Microsoft yesterday released a detailed technical analysis of the outage caused by the CrowdStrike driver. 
Microsoft's analysis confirmed CrowdStrike's findings that the crash was caused by an out-of-bounds memory safety bug in CrowdStrike's CSagent.sys driver. 
The csagent.sys module registers as a file system filter driver on Windows computers to receive notifications about file operations, including creating or modifying files.
This allows security products, including CrowdStrike, to scan any new files saved to disk.

The incident occurred at a time when Microsoft was facing a lot of criticism for allowing third-party software developers to gain kernel-level access. In a blog post, Microsoft explains why it provides kernel-level access to security products:

Kernel drivers allow system-wide visibility and the ability to be loaded early in the boot process to detect threats such as boot kits and root kits, which can be loaded before user-mode applications.

Microsoft provides system event callbacks, file filter drivers and other functions.

Kernel drivers provide better performance for situations such as high-throughput network activity.

Security solutions want to ensure that their software cannot be disabled by malware, targeted attacks, or malicious insiders, even if those attackers have administrator privileges. To this end, Windows provides Early Launch Anti-Malware (ELAM) early in the boot process.

However, kernel drivers also come with trade-offs because they run at the most trusted level of Windows, increasing the risk. Microsoft is also working on migrating complex Windows core services from kernel mode to user mode, such as font file parsing. Microsoft recommends that security solution providers balance the need for visibility and tamper resistance with the risks of kernel-mode operations. For example, they can use minimal sensors that run in kernel mode for data collection and execution, thus limiting exposure to availability issues. The remaining functions, such as managing updates, parsing content, and other operations, can be performed in isolation in user mode.

In a blog post, Microsoft also explained the built-in security features of the Windows operating system. These security features provide multiple layers of protection against malware and attack attempts. Microsoft will work with the anti-malware ecosystem through the Microsoft Virus Initiative (MVI) to leverage built-in Windows security features to further improve security and reliability.

Microsoft currently plans to:

Provides security deployment guidance, best practices, and techniques to make security product updates more secure.

Reduces the need for kernel drivers to access critical security data.

Provides enhanced isolation and tamper resistance through technologies such as the recently announced VBS islands.

Enable zero trust methods, such as high-integrity authentication, which determine the security status of a machine based on the health of Windows' native security features.

As of July 25, more than 97% of Windows PCs affected by this issue are back online, and Microsoft is now looking to prevent such issues from occurring in the future. John Cable, Microsoft's vice president of Windows program management, recently published a blog post about CrowdStrike issues, saying that Windows must prioritize change and innovation for end-to-end resiliency, which is what customers have come to expect from Microsoft.