Kinda. Yes. Apple moved away from deep kernel extensions years ago. They are no longer permitted on their latest releases.
Of course something like an EDR requires kernel level access otherwise it's too easy to bypass. But Apple has system extensions as a useful compromise. They're basically kernel level APIs that can be called by validated signed software. I think it's a good alternative to just allowing random code to run in the kernel.
The thing is, Apple has a habit of going to software vendors and saying: "We're changing this next year. There'll be a 2 year deprecation period and after that we'll lock you out. So change up or die off. We don't care."
Microsoft doesn't really do this and even if they do there's a lot of ifs and buts. They're much more receptive to the concerns of legacy software vendors because they represent a much bigger share of their market and the customer base (enterprise market) that cares about legacy is also very big and vocal.
Needless to say this is also the customer base that got heavily hammered by what happened today. But nobody thinks about that until it actually happens.
Back around 2000 or 2001 McAfee or Symantec (I can’t remember) released some virus definitions that caused Macs to kernel panic repeatedly. I worked at a college at the time which required students run it, and had to deal with the fallout.
OS X was using Unix back then as well, and the foundational design didn’t save it. But like you mention, Apple does more to protect the underlying system today than they did back then. I can’t even remember the last kernel panic I had. They used to be a semi-regular occurrence.
Back in Windows Vista Microsoft removed access to the kernel making the CrowdStrike incident impossible. Microsoft had stated that no companies would be allowed to access Vista's core for security reasons, but Symantec launched an official complaint over the matter with the European Union and eventually Microsoft caved in.
Of course something like an EDR requires kernel level access otherwise it's too easy to bypass. But Apple has system extensions as a useful compromise. They're basically kernel level APIs that can be called by validated signed software. I think it's a good alternative to just allowing random code to run in the kernel.
The thing is, Apple has a habit of going to software vendors and saying: "We're changing this next year. There'll be a 2 year deprecation period and after that we'll lock you out. So change up or die off. We don't care."
Microsoft doesn't really do this and even if they do there's a lot of ifs and buts. They're much more receptive to the concerns of legacy software vendors because they represent a much bigger share of their market and the customer base (enterprise market) that cares about legacy is also very big and vocal.
Needless to say this is also the customer base that got heavily hammered by what happened today. But nobody thinks about that until it actually happens.