Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Benedict Collins

CrowdStrike outlines just what went wrong with its update — as many systems around the world are now back up

Crowdstrike logo.

On 19 July, CrowdStrike pushed an update to Windows systems that caused a blue-screen-of-death (BSOD) across millions of devices running the OS across the world, resulting in widespread outages across banking, airports, and health services.

The company fixed the issue the same day, and in a LinkedIn post, said of the approximately 8.5 million Windows devices thought to be impacted, "a significant number" are now back online and operational.

CrowdStrike, which provides antivirus for Windows devices, has now released the full technical details of how and why the disruption happened.

What happened?

CrowdStrike pushed a sensor configuration update for Windows systems that caused a logic error, resulting in the infamous BSOD. Any computer that was running Falcon sensor for Windows version 7.11 and above that was online from when the update was pushed live to when the update was ceased may have been affected.

The update was live for just 1.3 hours, but the damage was already done to millions of Windows devices that automatically updated.

“The configuration files mentioned above are referred to as “Channel Files” and are part of the behavioral protection mechanisms used by the Falcon sensor,” CrowdStrike said in a statement. “Updates to Channel Files are a normal part of the sensor’s operation and occur several times a day in response to novel tactics, techniques, and procedures discovered by CrowdStrike. This is not a new process; the architecture has been in place since Falcon’s inception.”

CrowdStrike further explained that the logic error was caused by content in Channel File 291, which is responsible for controlling how the Falcon sensor evaluates named pipe execution. “Named pipes are used for normal, interprocess or intersystem communication in Windows,” the statement continued. “The update that occurred at 04:09 UTC was designed to target newly observed, malicious named pipes being used by common C2 frameworks in cyberattacks.”

Linux and macOS systems were not affected by the Falcon update as they do not use Channel File 291. CrowdStrike urged customers to contact them directly if they have specific support needs, and to consult their blog and Support Portal.

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.