A faulty update to CrowdStrike caused a global technical disaster that affected 8.5 million Windows devices on Friday, according to Microsoft. Microsoft says this is “less than one percent of all Windows machines,” but it’s enough to cause problems for retailers, banks, airlines, and many other industries—and everyone who relies on them.
CrowdStrike’s breakdown explains the profile at the heart of the problem:
The configuration files described above are called “channel profiles” and are part of the behavioral protection mechanism used by Falcon sensors. Updates to the channel files are a normal part of Sensor operation and will be updated several times per day in response to novel strategies, techniques and procedures discovered by CrowdStrike. This is not a new process; the architecture has been in place since Falcon was founded.
CrowdStrike explains that this file is not a core driver, but is responsible for “how Falcon evaluates Named Pipes1 execution on Windows systems.” Security researcher and Objective See founder Patrick Wardle said that this explanation is consistent with the analysis he and others have previously provided about the cause of the crash, as the problematic file “C-00000291-” triggered the operating system crash Logic error” (via CSAgent.sys).”
Other excerpts from the CrowdStrike blog explain the problem in detail:
On July 19, 2024 at 04:09 UTC, CrowdStrike released a sensor configuration update for Windows systems as part of ongoing operations. Sensor configuration updates are an ongoing part of the Falcon platform protection mechanism. This configuration update triggered a logic error that resulted in a crash and blue screen display (BSOD) on the affected systems.
Which systems are affected and when:
Systems running Falcon Sensors for Windows 7.11 and later that download updated configurations between 04:09 and 05:27 UTC are vulnerable to a system crash.
Wardle noted that CrowdStrike’s channel file updates are pushed to computers regardless of any settings designed to prevent such automatic updates.
