CrowdStrike outlines just what went wrong with its update — as many systems around the world are now back up

(Image credit: Shutterstock / rafapress)

On 19 July, CrowdStrike pushed an update to Windows systems that caused a blue-screen-of-death (BSOD) across millions of devices running the OS across the world, resulting in widespread outages across banking, airports, and health services.

The company fixed the issue the same day, and in a LinkedIn post, said of the approximately 8.5 million Windows devices thought to be impacted, "a significant number" are now back online and operational.

CrowdStrike, which provides antivirus for Windows devices, has now released the full technical details of how and why the disruption happened.

What happened?

CrowdStrike pushed a sensor configuration update for Windows systems that caused a logic error, resulting in the infamous BSOD. Any computer that was running Falcon sensor for Windows version 7.11 and above that was online from when the update was pushed live to when the update was ceased may have been affected.

The update was live for just 1.3 hours, but the damage was already done to millions of Windows devices that automatically updated.

“The configuration files mentioned above are referred to as “Channel Files” and are part of the behavioral protection mechanisms used by the Falcon sensor,” CrowdStrike said in a statement. “Updates to Channel Files are a normal part of the sensor’s operation and occur several times a day in response to novel tactics, techniques, and procedures discovered by CrowdStrike. This is not a new process; the architecture has been in place since Falcon’s inception.”

CrowdStrike further explained that the logic error was caused by content in Channel File 291, which is responsible for controlling how the Falcon sensor evaluates named pipe execution. “Named pipes are used for normal, interprocess or intersystem communication in Windows,” the statement continued. “The update that occurred at 04:09 UTC was designed to target newly observed, malicious named pipes being used by common C2 frameworks in cyberattacks.”

Linux and macOS systems were not affected by the Falcon update as they do not use Channel File 291. CrowdStrike urged customers to contact them directly if they have specific support needs, and to consult their blog and Support Portal.

More from TechRadar Pro

These are the best internet security suites
Kaspersky gives US customers six months free security software as a farewell
Take a look at our guide to the best endpoint protection

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.