On Friday, July 19, businesses worldwide faced an unprecedented outage due to a faulty third-party update for Microsoft Windows released by cybersecurity firm CrowdStrike for its Falcon software.
As a result, computers with the software installed encountered the “blue screen of death” message, a critical error for Windows computers, rendering them inoperational. The update did not affect other operating systems such as Linux or Apple’s MacOS.
JOIN US ON TELEGRAM
Follow our coverage of the war on the @Kyivpost_official.
As Microsoft Windows remains the operating system of choice for most users globally, taking more than 70 percent of the market share as of April, the impact is consequential. The outage led to the cancellation of 4,295 flights worldwide, or 3.9 percent of all scheduled services, according to aviation data from Cirium; banks and television broadcasting also reported service disruptions as a result.
In the UK, a terminal cancer patient reportedly had her surgery canceled due to the outage.
In Ukraine, users of network operator Vodafone, as well as those of local banks Sense Bank and Monobank, all reported service disruption starting Friday morning.
What is CrowdStrike?
CrowdStrike is a US cybersecurity firm that develops security software for businesses. Its clients include more than half of the Fortune 1,000 companies, including eight out of 10 top 10 financial services firms, according to tech outlet Tech Crunch.
CrowdStrike specializes in endpoint security protection, meaning that its job is to look for potential malicious activities by monitoring networks and activities from connected devices such as phones and laptops.
‘Cannot Be Treated Seriously Yet’ – Expert on New US Provision of Antipersonnel Mines to Ukraine
Instead of scanning for malware like traditional anti-virus software, CrowdStrike takes a preemptive approach by detecting abnormal activities in the background, such as the programs being run and files being opened, which require high-level access to the system.
George Kurtz, CEO of CrowdStrike, has published a statement following the incident and acknowledged the causes.
“I want to sincerely apologize directly to all of you for the outage. All of CrowdStrike understands the gravity and impact of the situation. We quickly identified the issue and deployed a fix, allowing us to focus diligently on restoring customer systems as our highest priority.
“The outage was caused by a defect found in a Falcon content update for Windows hosts. Mac and Linux hosts are not impacted. This was not a cyberattack,” Kurtz said.
It’s believed that Microsoft itself is among the clients of CrowdStrike, which might explain the issues related to some of its products, including Microsoft 365, on the day of the incident.
Solutions to the outage
Ukraine’s State Special Communications published instructions on Friday on reverting the CrowdStrike update.
For users affected by the update, they should boot up Windows in safe mode, then navigate to the folder where CrowdStrike is installed, which is “C:\Windows\System32\drivers\CrowdStrike” by default. After that, they should locate the file “C-00000291*.sys” and delete it, and finally restart the computer in normal mode.
However, since CrowdStrike is normally deployed by enterprises where user access to the system is restricted for security reasons, ordinary users might not be able to boot up Windows in safe mode without help from the IT administrator.
A manifold issue
The outage caused by CrowdStrike has highlighted multiple issues with the tech ecosystem today.
First of all, the fact that a cybersecurity firm published a faulty update should warrant some concern. While CrowdStrike’s CEO said the issue arose from a “content update,” meaning it could simply be a font update that went wrong, issues remain that an update from a cybersecurity firm was not thoroughly tested before going online.
So, what if an update actually creates a system vulnerability? That’s a question CrowdStrike would need to address to its clients.
Another issue, which is related to the former, is the fact that CrowdStrike, a third-party software, has high-level access to the system.
Faulty updates are not unheard of, but it’s believed that CrowdStrike was able to perform its intended functions by installing drivers on the kernel level, an access granted by Microsoft.
In simpler terms, the kernel level is the layer between the operating system and actual hardware. It enables complete control over all system resources and manages hardware communication, process execution and system security.
There have been incidents where hackers were able to load malicious kernel drivers by exploiting a Windows policy loophole.
The fact that a third-party software has high-level access and ended up potentially bricking the systems as a result exposes another vulnerability that both Microsoft and CrowdStrike would likely need to address.
The last issue is the fact that enterprises often utilize multiple security practices to protect their systems from unauthorized access, which might end up complicating the recovery process.
“The fun part is a lot of companies paired Crowdstrike with Bitlocker, which prevents them from booting into safe mode without their recovery keys. Which they safely stored on a different computer which also… Well,” explained a social media user on Threads.
You can also highlight the text and press Ctrl + Enter