The Microsoft Global Outage
Jul 20, 2024
Who is CrowdStrike and what does it do?
CrowdStrike is a cybersecurity firm founded in 2011 in Austin, Texas, US, founded by George Kurtz, Dmitri Alperovitch, Gregg Marston. It offers cloud-based online security solutions to tech giants such as Amazon’s AWS, airlines, and banks. Their advanced cloud-native platform protects endpoints, cloud workloads, identities, and data, keeping customers ahead of today’s adversaries and preventing breaches.
What and when the issue happened ?
On July 19th, 2024, a routine software update from cybersecurity firm CrowdStrike caused a major global outage. Many businesses across various sectors, including airlines, banks, and healthcare providers, were significantly impacted. Flight delays, halted stock trading, and disruptions to other critical services were reported.
Timeline of the issue ?
On Friday July 19, 2024 at 04:09 UTC, as part of ongoing operations, CrowdStrike released a sensor configuration update to Windows systems. As per what has been understood there are regular updates that happen to the falcon software as monitoring threats is a continuous process. As part of these ongoing update there was a logic error which resulted in system crash and blue screen started appearing which is also called the blue screen of death (BSOD) on the systems where this patch got executed.
On Friday July 19, 2024 05:27 UTC, it is understood that the issue was resolved by rolling back the updates that were done initially in the channel files.
How would CrowdStrike be distributing the updates?
CrowdStrike can use various deployment mechanisms, including:
Push Model: In this model, CrowdStrike pushes updates to all connected endpoints simultaneously.
Pull Model: Endpoints periodically check for updates and pull them from the central server.
The choice of model depends on the organization’s configuration and security policies.
(The specific method used for this update (push or pull) isn't publicly available.)
Impact
Customers running Falcon sensor for Windows version 7.11 and above, that were online between Friday, July 19, 2024 04:09 UTC and Friday, July 19, 2024 05:27 UTC, may be impacted.
Systems running Falcon sensor for Windows 7.11 and above that downloaded the updated configuration from 04:09 UTC to 05:27 UTC – were susceptible to a system crash.
The configuration files mentioned above are called "Channel files" and are used by CrowdStrike’s Falcon Sensor product. They are responsible for checking communication channels within windows operating system. Channel File 291 was found to be having issues. An update to Channel File 291 introduced a logic error in the Windows sensor client and the machines entered the blue screen of death(BSOD). Due to this issue machines entered into a loop or recovery mode. Users reported that there systems are rebooting after an interval of approx 7 to 10 mins.
These issues happened majorly in corporates where CrowdStrike software was installed but at home PC's which normally would not have CrowdStrike software were not impacted.
The big question ?
Should the systems be highly interconnected that one update in a part of the world brings down systems globally, disrupting the operations of multiple industries is the big question?
Source: https://www.crowdstrike.com and other sources
