George Kurtz, CrowdStrike’s CEO, said in a post on X that CrowdStrike had deployed a fix for the issue. “This is not a security incident or cyberattack,” he wrote.
However, it is not clear how easily the affected systems can be fixed remotely, as the “Blue Screen of Death” is causing computers to crash on reboot before they can be updated.
London/New Delhi: A global tech failure disrupted operations across multiple industries on Friday, halting flights and upending everything from banking to healthcare systems.
WHAT HAPPENED?
CrowdStrike, a U.S. cybersecurity company with a market value of about $83 billion, is among the most popular in the world, counting more than 20,000 subscribers around the world, the company’s website shows.
According to an alert sent by CrowdStrike to its clients at 0530 GMT on Friday and reviewed by Reuters, its widely used “Falcon Sensor” software is causing Microsoft Windows to crash and display a blue screen, known informally as the “Blue Screen of Death”.
George Kurtz, CrowdStrike’s CEO, said in a post on X that CrowdStrike had deployed a fix for the issue. “This is not a security incident or cyberattack,” he wrote.
However, it is not clear how easily the affected systems can be fixed remotely, as the “Blue Screen of Death” is causing computers to crash on reboot before they can be updated.
“This means in this state, devices can’t be updated automatically, meaning manual intervention is required,” said Daniel Card, of UK-based cybersecurity consultancy PwnDefend.
Ciaran Martin, former head of the National Cyber Security Centre (NCSC), part of Britain’s GCHQ intelligence agency, said the scale of the problem was huge.
“This is not unprecedented, but I’m struggling to think of an outage at quite this scale. It has happened over the years, but this is one of the biggest. I think it’ll likely be short-lived because, the nature of the problem is actually quite simple”.
“But it’s very, very, very, very, big” he added.
WHY DID IT HAPPEN?
Accelerated by the COVID-19 pandemic, governments and businesses alike have become increasingly dependent on a handful of interconnected technology companies over the past two decades.
Experts say the cyber outage revealed the risks of an increasingly online world.
To protect their computer networks from being breached by hackers, many businesses use a cybersecurity product known as Endpoint Detection and Response, or EDR, which runs in the background of corporate machines, or “endpoints”.
Firms like CrowdStrike are able to use their EDR products as early warning systems for potential digital attacks, scan for viruses, and prevent hackers from gaining unauthorised access to corporate networks.
But, in this case, something in CrowdStrike’s code is conflicting with something in the code that makes Windows work, and causing those systems to crash, even after rebooting.
“With the move to the cloud and with companies like CrowdStrike owning huge market shares, their software is running on millions of computers around the world,” said Card.
WHO HAS BEEN IMPACTED?
The global tech outage has affected operations in different sectors internationally including at Spanish airports, U.S. airlines and Australian media and banks.
The governments of Australia, New Zealand, and a number of U.S. states are facing issues, while American Airlines, Delta Airlines, United Airlines, and Allegiant Air grounded flights citing communication problems.
In Britain, Sky News, one of the country’s major television news channels, was off air for hours on Friday before service was restored. As millions of Windows computers were left crippled for hours, disrupting the services of airlines, banks, hospitals and stock exchanges worldwide, cyber-security platform CrowdStrike on Saturday tried to explain what actually went wrong at their end.
According to the company which provides third-party security updates to the Satya Nadella-run tech giant, on July 19, at 9.30 a.m. (India time), it released a sensor configuration update to Windows systems.
Sensor configuration updates are an ongoing part of the protection mechanisms of the Falcon platform.
“This configuration update triggered a logic error resulting in a system crash and blue screen (BSOD) on impacted systems,” said CrowdStrike.
In a technical blog, the company said the sensor configuration update that caused the system crash was remediated at around 10.57 a.m.
“This issue is not the result of or related to a cyberattack,” it said.
Millions of customers running Falcon sensor for Windows version 7.11 and above that were online were impacted.
“Systems running Falcon sensor for Windows 7.11 and above that downloaded the updated configuration from 9.30 a.m. to 10.57 a.m. — were susceptible to a system crash,” the company said.
According to it, this is not a new process and the architecture has been in place since Falcon’s inception.
The update that occurred at 9.30 a.m. was designed to target newly observed, malicious named pipes being used by common C2 frameworks in cyberattacks.
The configuration update triggered a logic error that resulted in an operating system crash.
“CrowdStrike has corrected the logic error by updating the content in Channel File 291. No additional changes to Channel File 291 beyond the updated logic will be deployed. Falcon is still evaluating and protecting against the abuse of named pipes,” the company explained.
Systems that are not currently impacted will continue to operate as expected, continue to provide protection, and have no risk of experiencing this event in the future.
“We understand how this issue occurred and we are doing a thorough root cause analysis to determine how this logic flaw occurred. This effort will be ongoing,” said CrowdStrike.