CrowdStrike Blew Up the Internet
Dan
Posted on July 20, 2024
Bad code broke a million Windows machines...
Yesterday millions of Windows computers got BRICKED around the world thanks to an update pushed by enterprise cybersecurity firm CrowdStrike. Airports are shutting down, hospitals are unable to treat patients, and banks are not able to get your money.
Let's dig deeper into the technical side of this disaster and find out how such a catastrophic mistake can even happen in the modern work:
A huge number of fortune 500 companies use CrowdStrike for cybersecurity, its primary product is called "Falcon". Falcon is a tool that provides ENDPOINT protection using artificial intelligence and analytics to detect threats in real time. It is publicly traded, and its stock is down right now because everybody is blaming them for the BSOD.
Luckily MacOS and Linux chads are unaffected, to understand why we first need to understand how CrowdStrike's Falcon Sensor actually works. Falcon is installed just like regular software but integrates with the OS at a low level often using kernel mode drivers and sits there in the background looking for threats. So basically, it is a third-party software sitting in the critical path of a computer. If it fails, the entire computer might fail.
Apparently, some automated software update yesterday had some bad code in it and every computer that got that update is now dead. Part of the reason this is bad, is that it's not a normal outage but every affected computer needs rebooted into safe mode so that the driver can be removed manually.
However, they were quick to fix it...
The fix is really EASY. All you have to do is the following:
- Detach the OS Disk
- Create a Snapshot of the disk
- Mount a Volume to new virtual server
- Find driver (%WINDIR&\System32\drivers\CrowdStrike)
- Delete the bad file (C-00000291*.sys)
- Detach Volume from virtual server
- Reattach volume to impacted server
Piece of cake... but option 2 is to go buy a hammer and use it to uninstall windows and install Linux.
What everyone failed to realize is that giving one company kernel access to the computer of most companies might actually be a bad idea, because it only takes 1 automatic update with a misplaced 0 to nearly destroy the entire world.
Posted on July 20, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.