CrowdStrike Provides Update on Cause of Global Windows Crash

security breach - cause of global windows crash - hipaaguide.net

On Friday, the cybersecurity firm CrowdStrike released an update for its Falcon Sensor endpoint detection and response software that caused havoc worldwide as it rendered Windows devices non-functional, triggering endless boot loops and the Blue Screen of Death. Microsoft was quick to confirm that the issue was not Windows-related and said its telemetry showed that 8.5 million Windows devices worldwide had been affected, which could make this the largest IT outage in history.

The security software is used by many enterprises, including around half of all Fortune 500 firms. The crashes caused by the update caused chaos. Airlines canceled flights, financial firms faced major disruption, and healthcare providers were prevented from accessing patients’ electronic medical records. To ensure patient safety, many hospitals were forced to switch to pen and paper for recording patient information and canceled or rescheduled appointments.

CrowdStrike rapidly identified the problem and issued a fix; however, while the instructions for correcting the issue were straightforward for IT staff, the process did not lend itself well to automation, which meant the fix needed to be applied manually on every affected device. CrowdStrike reports that a significant number of the affected devices have now been fixed although disruption is continuing around the world.

On top of that, cybercriminals were quick to take advantage of the chaos. There has been an increase in new domains impersonating CrowdStrike such as crowdstrikebluescreen[dot]com and crowdstrikefix[dot]com which are being used to target IT professionals, and phishing campaigns are being conducted that use lures related to the issues to steal credentials and infect devices with malware.ย Some of the campaigns identified in the first few hours after the problem surfaced were distributing .zip file attachments that contained remote access trojans and Word document attachments that delivered information stealers.

Questions have been asked about how a leading cybersecurity company could have made such a fundamental error as not fully testing a software update before release. CrowdStrike CEO George Kurt has been called to testify to Congress about how such a catastrophic error occurred and customers have been waiting for a detailed explanation of exactly what went so wrong.ย CrowdStrike has now provided an update following a preliminary Post Incident Review (PIR) and has confirmed that the issue was with a faulty Channel File 291 for Falcon Sensor version 7.11. An update was released at 04:09 UTC as part of its regular operations that included a configuration update to allow the Windows sensor to gather telemetry on possible novel threat techniques; however, the Rapid Response Content configuration update caused a Windows system crash. Mac and Linux hosts were unaffected by the update.

The update was intended to add new functionality to the sensor and was delivered via an InterProcessCommunication (IPC) template type. This was delivered via a proprietary binary file rather than code or a kernel driver, which maps to specific behaviors for the sensor to observe, detect, or prevent.ย The new IPC template type was stress-tested on March 5, 2024, using a variety of operating systems and workloads, and three further IPC templates were delivered in April without any problems. However, on Friday, when a further two new IPC templates were pushed out, one passed validation tests despite containing problematic content data. When the sensor received the faulty IPC, it was loaded into the Content Interpreter, and the faulty content in Channel File 291 triggered an out-of-bounds memory read, resulting in an exception that caused Windows operating systems to crash.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

CrowdStrike said it will be introducing software resiliency and testing improvements, more varied and thorough testing will be conducted, and it will be updating the Content Interpreter to handle unexpected errors differently to avoid causing operating system crashes. Further, future updates will be rolled out gradually, so if a problem is identified, it will only have a limited impact. CrowdStrike has also vowed to give customers greater control over when updates are applied.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/