CrowdStrike's faulty update affected 8.5m Windows devices globally, Microsoft reveals
What's the story
The worldwide tech disruption, triggered by a faulty update from cybersecurity firm CrowdStrike, has affected 8.5 million Windows devices, according to Microsoft. Despite representing "less than one percent of all Windows machines," the impact was substantial enough to interrupt operations across various industries including retail, banking, and airlines. Separately, a technical breakdown released by CrowdStrike on Friday, explained what happened and why so many systems were affected simultaneously.
Technical breakdown
Faulty update triggers system crash, blue screen
Per CrowdStrike, the issue originated from a configuration file known as "Channel Files," which are integral to the Falcon sensor's behavioral protection mechanisms. CrowdStrike says the file was not a kernel driver but was responsible for "how Falcon evaluates named pipe execution on Windows systems." The problem surfaced when a sensor configuration update, triggered a logic error, resulting in a system crash. The affected devices were those running Falcon sensor for Windows 7.11 and above, that downloaded the updated configuration.
Joint effort
Tech giants collaborate to fix issue
Security researcher Patrick Wardle noted that CrowdStrike's channel file updates were pushed to computers, regardless of any settings meant to prevent such automatic updates. Microsoft's VP of Enterprise and OS Security, David Weston, stated in a blog post that Microsoft is working with CrowdStrike to develop a scalable solution. This collaboration aims to aid Microsoft's Azure infrastructure in accelerating a fix for the faulty update. Assistance has also been sought from Amazon Web Services (AWS) and Google Cloud Platform (GCP).
Misdirected update
The update was aimed at new cyberattack techniques
CrowdStrike explained that the sensor configuration update was designed to target newly observed malicious named pipes used by common C2 frameworks in cyberattacks. However, it instead triggered an operating system crash on devices running Windows 7.11 and above that use CrowdStrike's Falcon sensor. Microsoft emphasized the interconnected nature of the tech ecosystem, and the importance of operating with safe deployment and disaster recovery mechanisms.