CrowdStrike’s faulty update caused a worldwide technology disaster that affected 8.5 million Windows devices on Friday, according to Microsoft. Microsoft says this represents “less than one percent of all Windows machines,” but it was enough to create problems for retailers, banks, airlines, and many other industries, as well as everyone who depends on them.
CrowdStrike’s analysis explains the configuration file that was at the heart of the problem:
The configuration files mentioned above are called “Channel files”And they are part of the behavioral protection mechanisms used by the Falcon sensor. Updates to channel files are a normal part of sensor operation and occur several times a day in response to new tactics, techniques, and procedures discovered by CrowdStrike. This is not a new process; the architecture has been around since the beginning of the Falcon.
CrowdStrike explained that the file is not a kernel driver, but is responsible for “how Falcon evaluates the execution of named pipe1 on Windows systems.” Security researcher and founder of Objective See, Patrick Wardle says the explanation aligns with previous analysis he and others have provided on the cause of the failure, as the problem file “C-00000291- “triggered a logic error that resulted in an operating system crash” (via CSAgent.sys).
Other excerpts from the CrowdStrike blog explain more about what went wrong:
On July 19, 2024 at 04:09 UTC, as part of ongoing operations, CrowdStrike released a sensor configuration update for Windows systems. Sensor configuration updates are an ongoing part of the Falcon platform’s protection mechanisms. This configuration update triggered a logic error, resulting in system crash and blue screen (BSOD) on affected systems.
And which systems were affected and when:
Systems running the Falcon sensor for Windows 7.11 and higher that downloaded the updated configuration from 04:09 UTC to 05:27 UTC – were susceptible to a system crash.
CrowdStrike channel file updates were pushed to computers regardless of any settings designed to prevent such automatic updates, Wardle noted..