A faulty CrowdStrike update caused a global tech disaster affecting 8.5 million Windows devices on Friday. According to MicrosoftMicrosoft says that's “less than one percent of all Windows machines,” but it was enough to create problems for retailers, banks, airlines and many other industries, as well as everyone who depends on them.
CrowdStrike's breakdown explains the configuration file that was at the heart of the problem:
The configuration files mentioned above are called “Channel Archives” and are part of the behavioral protection mechanisms used by the Falcon sensor. Channel file updates are a normal part of the sensor’s operation and occur multiple times per day in response to new tactics, techniques, and procedures discovered by CrowdStrike. This is not a new process; the architecture has been in place since Falcon’s inception.
CrowdStrike explained that the file is not a kernel driver, but is responsible for “how Falcon evaluates named pipe 1 execution on Windows systems,” said Patrick Wardle, a security researcher and founder of Objective See. x.com/patrickwardle/status/1814583573111812304″>says that the explanation This matches the previous analysis he and others provided on the cause of the crash, as the problematic file “C-00000291- “triggered a logical error that resulted in an operating system crash” (via CSAgent.sys).
Other excerpts from CrowdStrike's blog explain more about what went wrong:
On July 19, 2024 at 04:09 UTC, as part of ongoing operations, CrowdStrike released a sensor configuration update for Windows systems. Sensor configuration updates are an ongoing part of the Falcon platform's protection mechanisms. This configuration update triggered a logic error that resulted in a system crash and a blue screen of death (BSOD) on affected systems.
And what systems were affected and when?
Systems running Falcon Sensor for Windows 7.11 and above that downloaded the updated configuration between 04:09 UTC and 05:27 UTC were susceptible to a system crash.
CrowdStrike channel file updates were pushed to computers regardless of any settings intended to prevent such automatic updates. x.com/patrickwardle/status/1814367918425079934″>Wardle pointed out.
