CrowdStrike outlines just what went wrong with its update — as many systems around the world are now back up

News
By
published

The CrowdStrike update that crashed the world

Crowdstrike logo
(Image credit: Shutterstock / rafapress)

On 19 July, CrowdStrike pushed an update to Windows systems that caused a blue-screen-of-death (BSOD) across millions of devices running the OS across the world, resulting in widespread outages across banking, airports, and health services.

The company fixed the issue the same day, and in a LinkedIn post, said of the approximately 8.5 million Windows devices thought to be impacted, "a significant number" are now back online and operational.

CrowdStrike, which provides antivirus for Windows devices, has now released the full technical details of how and why the disruption happened.

What happened?

CrowdStrike pushed a sensor configuration update for Windows systems that caused a logic error, resulting in the infamous BSOD. Any computer that was running Falcon sensor for Windows version 7.11 and above that was online from when the update was pushed live to when the update was ceased may have been affected.

The update was live for just 1.3 hours, but the damage was already done to millions of Windows devices that automatically updated.

“The configuration files mentioned above are referred to as “Channel Files” and are part of the behavioral protection mechanisms used by the Falcon sensor,” CrowdStrike said in a statement. “Updates to Channel Files are a normal part of the sensor’s operation and occur several times a day in response to novel tactics, techniques, and procedures discovered by CrowdStrike. This is not a new process; the architecture has been in place since Falcon’s inception.”

CrowdStrike further explained that the logic error was caused by content in Channel File 291, which is responsible for controlling how the Falcon sensor evaluates named pipe execution. “Named pipes are used for normal, interprocess or intersystem communication in Windows,” the statement continued. “The update that occurred at 04:09 UTC was designed to target newly observed, malicious named pipes being used by common C2 frameworks in cyberattacks.”

Linux and macOS systems were not affected by the Falcon update as they do not use Channel File 291. CrowdStrike urged customers to contact them directly if they have specific support needs, and to consult their blog and Support Portal.

More from TechRadar Pro

Benedict Collins
Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for close to 5 years, at first covering geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division). Benedict then continued his studies at a postgraduate level and achieved a distinction in MA Security, Intelligence and Diplomacy. Benedict transitioned his security interests towards cybersecurity upon joining TechRadar Pro as a Staff Writer, focusing on state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.