General view from Dusseldorf Airport as passengers gather and wait due to the global communications outage caused by CrowdStrike, which provides cyber security services to US technology company Microsoft, on July 19, 2024 in Dusseldorf, Germany.
Hesam Elserif | Anadolu | Getty Images
security experts said CrowdStrike’s The routine update to widely used cyber security software that caused customer computer systems worldwide to shut down on Friday was apparently not subjected to adequate quality checks before it was deployed.
The latest version of the Falcon Sensor software was intended to make CrowdStrike customers’ systems more secure against hacking by updating the threats it defends against. However, faulty code in the update files has resulted in one of the most widespread technology outages in recent years for companies using of Microsoft Windows operating system.
Global banks, airlines, hospitals and government offices were disrupted. CrowdStrike released information to patch the affected systems, but experts said bringing them back online would take time, as it required manual removal of the faulty code.
“What it looks like is maybe the auditing or sandboxing that they’re doing when they look at the code, maybe somehow that file didn’t get included in it or escaped,” said Steve Cobb, chief security officer at Security Scorecard, which also had some systems affected by the issue.
The problems came to light quickly after the update was released on Friday, and users posted photos on social media of computers with blue screens displaying error messages. These are known in the industry as “blue screens of death”.
Patrick Wardle, a security researcher specializing in the study of operating system threats, said his analysis identified the code responsible for the outage.
The problem with the update was “in a file that contains either configuration information or signatures,” he said. Such signatures are code that detects specific types of malicious code or malware.
“It’s very common for security products to update their signatures, like once a day … because they’re constantly monitoring for new malware and because they want to make sure their customers are protected against the latest threats,” he said.
The frequency of updates “is probably why (CrowdStrike) didn’t test it as much,” he said.
It’s unclear how this flawed code got into the update and why it wasn’t caught before it was released to customers.
“Ideally, this would have been deployed in a limited pool first,” said John Hammond, principal security researcher at Huntress Labs. “This is a safer approach to avoid a big mess like this.”
Other security companies have had similar incidents in the past. McAfee’s 2010 antivirus update slowed hundreds of thousands of computers.
But the global impact of this outage reflects CrowdStrike’s dominance. More than half of Fortune 500 companies and many government agencies, including the US’s top cybersecurity agency, the Cybersecurity and Infrastructure Security Agency, use the company’s software.