Microsoft Windows Blue Screen on 19th July 2024: CrowdStrike Falcon Update Triggered Outage
On 19th July 2024 Saturday, around 03.30 PM AEDT I was standing in the queue at a self check out counter waiting to pay for drinks and lunch; when suddenly all self-checkout counters screens turned blue. All customers were asked to go to the counter served by staff, while standing in the queue I was looking at the TV on the wall showing services at airports globally are disrupted. Banks, police services and heaps of other businesses are impacted due to Microsoft Blue Screen of Death.
Microsoft Blue Screen of Death
What Went Wrong on 19th July 2024?
Globally 72% of devices use Microsoft Windows Operating Systems, followed by Apple’s MAC OS at 14.7% and a minute percentage of users use LINUX & Google’s Chrome OS. On July 19, 2024, many computers around the world stopped working, they started whoing blue screens. This caused big problems for airlines, banks, and many other customer centric businesses where information is delivered to customers via Kiosks or displays or computers running Microsoft Windows OS.
The issue wasn’t related to a hacker attack. Instead, it was caused by a planned software update on a product called “CrowdStrike Falcon” from a company called CrowdStrike.
CrowdStrike Falcon runs a monitoring agent on Microsoft Windows OS based computers to monitor the activities on the computer.
When CrowdStrike sent the update for Falcon, it caused the Microsoft Windows computers to crash. This showed up as a blue error screen, which people often call the “Blue Screen of Death.”
This problem affected a lot of travellers, consumers, government agencies staffers, corporate giants etc because most computers in the world use Microsoft Windows OS.
The BSOD crash only occurred on the computers that received the new update.
The footprint of affected machines was so large that it stopped many important activities like air travel, hospital work, and stock trading etc.
What is CrowdStrike?
CrowdStrike Falcon is a comprehensive endpoint/device protection platform developed by CrowdStrike, a cybersecurity company. It provides a range of capabilities aimed at detecting, preventing, and responding to cyber threats on endpoints (such as laptops, desktops, servers) within organizations. Here are some key features and aspects of CrowdStrike Falcon:
- Endpoint Protection: Falcon offers real-time, next-generation antivirus protection using machine learning and behavioral analysis to detect and block malware and other threats.
- Endpoint Detection and Response (EDR): It includes EDR capabilities that allow security teams to investigate and respond to incidents on endpoints. This includes the ability to analyze endpoint activity, hunt for threats, and conduct forensic investigations.
- Threat Intelligence: CrowdStrike Falcon leverages CrowdStrike’s Threat Graph, a cloud-based graph database that stores and correlates threat data from millions of endpoints worldwide. This enables Falcon to provide context and intelligence about potential threats.
- Cloud-Native Architecture: Falcon is built on a cloud-native architecture, which means it leverages the scalability and flexibility of cloud computing. This allows for rapid updates and deployment of new features, as well as the ability to handle large volumes of data efficiently.
- Managed Detection and Response (MDR): CrowdStrike also offers a Managed Detection and Response service alongside Falcon, providing additional support and expertise for organizations that need help managing and responding to security incidents.
Why CrowdStrike caused BSOD in machines running Microsoft Windows OS?
BSOD is only reported by Microsoft Windows based Operating Systems. Windows OS manage a device hardware like Processor-CPU, Memory, input output devices using Kernels. The Kernel is like the brain of a computer. It does several important jobs:
- Memory management: It gives out memory to programs when they need it and takes it back when they’re done. It also keeps track of which program is using what memory.
- Process management: It makes sure all the different programs can run at the same time without causing problems for each other.
- Device management: It helps the computer talk to things like the screen, mouse, keyboard, and printer.
- File system management: It keeps all the files on your computer organized.
Software’s or programs on a computer can run in two ways:
- Kernel Mode: This is when a program has full access to the computer’s resources.
- User Mode: This is the normal way most programs run, with limited access to the computer’s resources for safety reasons.
CrowdStrike Falcon is installed on windows machine as an Agent. This agent collects data from the machine and sends it to the CrowdStrike Server (Cloudstrike Cloud Platform). The collected data is analyzed on CrowdStrike Server to detect threats and malicious files. Falcon agent runs in the background while the users are using the machine.
CrowdStrike Falcon agent operate on a Microsoft Windows based Operating System in Kernel Mode. The key activities that it monitors are (a) Network Traffic, (b) Files and its access, (c) Device drivers activity.
Also the CrowdStrike Falcon agents auto updates itself silently in the background. The updates are sent by the CrowdStrike Cloud Platform.
On 19th July 2024, CrowdStrike Cloud Platform sent an update which included a file C-00000291*.sys. The computers on which Falcon agents downloaded this file sent at 0409 UTC crashed and showed BCOD.
CROWDSTRIKE has also published an official update on its website on 20th July 2024, to address this issue on this link.
https://www.crowdstrike.com/blog/falcon-update-for-windows-hosts-technical-details/
What was the fix?
CrowdStrike identified that a specific file in their update was causing the problem. A quick fix was made by CrowdStrike and it sent another update.
- The initial affected version was sent at 4:09 AM UTC on 19th July 2024.
- The fixed version of the file was released at 5:27 AM UTC on 19th July 2024.
Summary
In todays world, where Information Technology driven tools and devices provide a major part of consumer, commercial and government based services; the reliance of cybersecurity tools has become critical. The cyber security service providers create tools that runs on Operating Systems created by other companies like Microsoft, Apple, ChromeOS, Linux, Junos, IRIX etc. A non legit update from Crowdstrike impacted over 8 million computers worldwide with a single update. The loss of revenue and outage of services was huge, but the loss of productivity and wastage of resources linked to it, indeed to man hours spent on fixing the 8 million+ devices is mind blowing. Microsoft which suffered the undue consequences has released a statement to help its customers, it is available on the link.