CrowdStrike late Friday said a routine sensor configuration update pushed to Windows systems on July 19, 2024 at 04:09 UTC triggered a logic error that blue-screened critical computer systems around the world.
The company reiterated that the issue was not linked to a cyberattack but confirmed that millions of customers running its Falcon sensor for Windows found their computer systems in a BSOD (blue screen of death) reboot loop.
From the CrowdStrike technical documentation:
“The update that occurred at 04:09 UTC was designed to target newly observed, malicious named pipes being used by common C2 frameworks in cyberattacks. The configuration update triggered a logic error that resulted in an operating system crash.
CrowdStrike has corrected the logic error by updating the content in Channel File 291. No additional changes to Channel File 291 beyond the updated logic will be deployed. Falcon is still evaluating and protecting against the abuse of named pipes.
The anti-malware vendor published remediation recommendations and said systems that are not currently impacted “will continue to operate as expected, continue to provide protection, and have no risk of experiencing this event in the future.”
“We understand how this issue occurred and we are doing a thorough root cause analysis to determine how this logic flaw occurred. This effort will be ongoing. We are committed to identifying any foundational or workflow improvements that we can make to strengthen our process,” the company said.
In the midst of chaotic scenes at airports and hospitals caused by the CrowdStrike update, the US cybersecurity agency CISA said it was working closely with federal, state, local, tribal and territorial (SLTT) partners, as well as critical infrastructure and international partners to assess impacts and support remediation efforts.
The agency echoed CrowdStrike’s statements that the issue does not impact Mac and Linux hosts and was “not due to malicious cyber activity.”
“Of note, CISA has observed threat actors taking advantage of this incident for phishing and other malicious activity. CISA urges organizations and individuals to remain vigilant and only follow instructions from legitimate sources. CISA recommends organizations to remind their employees to avoid clicking on phishing emails or suspicious links,” the agency said.
Related: Bad CrowdStrike Update Linked to Major IT Outages Worldwide
Related: Chinese Hacking Group APT41 Infiltrates Global Shipping and Tech Sectors
Related: CrowdStrike Involved in ‘Ridiculous Disclosure Process’
