Outages of Windows Devices: The Biggest Case of Global Outage in a Ten-Year-Old Windows System
Outages are happening at banks, airports, hotels and many other businesses as a result of Windows machines showing errors around the world.
Blue Screens of Death (BSODs) began appearing on Windows devices in the early hours of Friday in Australia. Shortly after, reports of disruptions started flooding in from around the world, including from the UK, India, Germany, the Netherlands, and the US: TV station Sky News went offline, and US airlines United, Delta, and American Airlines issued a “global ground stop” on all flights.
“It’s the biggest case in history—we’ve never had a worldwide workstation outage like this,” says Mikko Hyppönen, the chief research officer at cybersecurity company WithSecure. According to Hyppnen, widespread outages were more common around a decade ago because of worms or trojans. The server side of systems has recently been the site of global outages, which are typically caused by cloud providers such as Amazon and internet cable cuts.
On July 19, 2024 at 04:09 UTC, as part of ongoing operations, CrowdStrike released a sensor configuration update to Windows systems. The protection mechanisms of theFalcon platform have sensor configuration updates as an ongoing part. The blue screen on the impacted systems was caused by a logic error triggered by the configuration update.
A Microsoft spokesperson also issued a statement saying it is aware of the problems linked to Windows devices and the company believes a “resolution is forthcoming.”
The CrowdStrike technical breakdown: a perspective from the Indian passenger’s experience with boarding passes and other public service access points of failure
The outage stemming from the CrowdStrike update has had a huge knock-on impact on public services and businesses around the world. A passenger in India shares a hand-written boarding pass that they’ve obtained at the airport, with scores of airports facing delays and long lines.
Olejnik says it reminds them of their dependence on IT and software. “When a system has several software systems maintained by various vendors, this is equivalent to placing trust on them. They may be a single point of failure—like here, when various firms feel the impact.”
The Slammer worm of 2003 was a rare instance where a single piece of code could quickly destroy computer systems around the world. The NotPetya cyberattack was targeted by Russia. North Korea’s self-spreading ransomware WannaCry. But the ongoing digital catastrophe that rocked the internet and IT infrastructure worldwide over the last 12 hours appears to have been triggered not by malicious code released by hackers, but by the software designed to stop them.
Separately, the technical breakdown from CrowdStrike released Friday explains more about what happened and why so many systems were affected all at once.
Channel Files: A Configuration File Used by the Falcon Sensor and a System Crash Caused by a Communication Error in 2008-2019
The configuration files mentioned above are referred to as Channel Files and are part of the behavior protection mechanisms used by the Falcon sensor. CrowdStrike discovered novel tactics, techniques and procedures that necessitate updates to Channel Files several times a day. This is not a new process; the architecture has been in place since Falcon’s inception.
CrowdStrike explained that the file is not a kernel driver but is responsible for “how Falcon evaluates named pipe1 execution on Windows systems.” The reason for the crash is related to a problem file called C-0000029-triggered a logic error that resulted in an OS crash, according to Patrick Wardle.
The systems were susceptible to a system crash that was caused by the updated configuration that was downloaded from 04:09 UTC to 05:27 UTC.
