Enterprises worldwide are facing extensive disruptions to their Windows setups following a flawed update introduced by security firm CrowdStrike.
In a declaration, George Kurtz, the CEO of CrowdStrike, stated, “CrowdStrike is in active collaboration with affected customers due to a flaw discovered in a single content update for Windows systems. Mac and Linux systems remain unaffected. This does not constitute a security incident or cyberattack.”
After acknowledging the “Blue Screens of Death” issue on Windows machines, the company has resolved the problem and deployed a fix for its Falcon Sensor product. Affected customers are advised to visit the support portal for the latest updates.
For machines already impacted by the glitch, the following steps for mitigation are provided:
- Initiate Windows in Safe Mode or Windows Recovery Environment
- Locate the “C-00000291*.sys” file within C:WindowsSystem32driversCrowdStrike and remove it
- Restart the system or server normally
Additionally, the incident has affected Google Cloud Compute Engine, leading Windows virtual machines utilizing CrowdStrike’s csagent.sys to crash and undergo unexpected reboots.
It was stated that Windows VMs receiving the defective patch from CrowdStrike fail to reboot after crashing. However, currently running Windows VMs are no longer impacted.
Microsoft Azure has also noted a similar scenario where successful recovery has been reported after multiple Virtual Machine restart attempts on affected instances, though multiple reboots may be necessary.
Amazon Web Services (AWS) has taken measures to mitigate the issue for as many Windows instances, Windows Workspaces, and Appstream Applications as possible, with affected customers advised to restore connectivity.
Kevin Beaumont, a security researcher, revealed, “I have acquired the CrowdStrike driver pushed via auto update, and the file, for unknown reasons, is not a valid driver format causing consistent Windows crashes.”
“CrowdStrike’s EDR product is widely deployed, protecting systems from point of sale to ATMs, hence this incident may have far-reaching consequences on a global scale,” he added.
Various industries such as airlines, financial institutions, food chains, hospitals, hotels, news outlets, railways, and telecom companies are listed as being among the numerous businesses impacted. CrowdStrike’s shares plummeted by 15% in U.S. premarket trading.
Omer Grossman, the Chief Information Officer (CIO) at CyberArk, commented, “The ongoing event seems to be one of the most significant cyber incidents of 2024. The global impact on business processes is substantial, caused by a bug in CrowdStrike’s EDR product.”
“This product, operating with elevated privileges to protect endpoints, experienced a malfunction leading to system crashes as seen in the current scenario,” Grossman explained.
Grossman further highlighted that rectifying the issue will be a manual process, requiring endpoints to be addressed individually in Safe Mode to remove the faulty driver. He emphasized that investigating the root cause behind the malfunction will be crucial.
Providing insight, Jake Moore, the global security advisor at ESET, noted that the incident underscores the necessity of implementing multiple safety measures and diversifying IT infrastructure.
“System upgrades and maintenance can unintentionally introduce minor errors with wide-reaching implications, as seen with CrowdStrike’s customers today,” Moore stated.
“Another important aspect to consider is the ‘diversity’ in large-scale IT infrastructure usage. This applies to critical systems like operating systems (OSes), cybersecurity products, and other globally deployed applications. In scenarios with low diversity, a single technical issue, not to mention a security breach, can result in global-scale outages and subsequent cascading effects,” he added.
The timing coincides with Microsoft recovering from a separate outage affecting Microsoft 365 apps and services, including Defender, Intune, OneNote, OneDrive for Business, SharePoint Online, Windows 365, Viva Engage, and Purview.
Detailing the incident, the tech giant explained, “A configuration alteration within a segment of our Azure backend workloads disrupted connectivity between storage and compute resources, leading to connectivity issues affecting downstream Microsoft 365 services reliant on these connections.”
Emphasizing the implications, Omkhar Arasaratnam, the general manager of OpenSSF, highlighted the fragility of monocultural supply chains perpetuated by the Microsoft-CrowdStrike outages and the urgency for diversity in tech stacks to enhance resilience and security.
“Monocultural supply chains with a single operating system or endpoint detection and response tool are inherently fragile and at risk of systemic faults, exemplified by recent events,” Arasaratnam emphasized. “This necessitates a gradual rollout of system changes to observe impacts incrementally, as opposed to sudden changes. Diverse ecosystems can withstand rapid transformations, being resilient to systemic issues.”
About Author
