A recent Microsoft Azure outage has disrupted industries worldwide, with CrowdStrike's CEO confirming that a defect in a Windows update is causing issues. The cybersecurity firm is actively working to resolve the problem.
A day earlier, CrowdStrike CEO George Kurtz assured the people that the American cybersecurity technology company is actively working with customers affected by a defect found in a single content update for Windows hosts.
"This is not a security incident or cyberattack. The issue has been identified, isolated and a fix has been deployed,” he wrote on X (formerly named Twitter).
After a day, the CrowdStrike released technical details on the outage through a blog stating that on July 19, 2024 at 04:09 UTC, as part of ongoing operations, CrowdStrike released a sensor configuration update to Windows systems.
“Sensor configuration updates are an ongoing part of the protection mechanisms of the Falcon platform. This configuration update triggered a logic error resulting in a system crash and blue screen (BSOD) on impacted systems,” the company stated, mentioning that this issue is not the result of or related to a cyberattack.
The sensor configuration update that caused the system crash was remediated on Friday, July 19, 2024 05:27 UTC.
Highlighting the impact of the outage, CrowdStrike stated that customers running Falcon sensor for Windows version 7.11 and above, that were online between Friday, July 19, 2024 04:09 UTC and Friday, July 19, 2024 05:27 UTC, may be impacted.
Systems running Falcon sensor for Windows 7.11 and above that downloaded the updated configuration from 04:09 UTC to 05:27 UTC – were susceptible to a system crash.
“The configuration files mentioned above are referred to as “Channel Files” and are part of the behavioral protection mechanisms used by the Falcon sensor. Updates to Channel Files are a normal part of the sensor’s operation and occur several times a day in response to novel tactics, techniques, and procedures discovered by CrowdStrike. This is not a new process; the architecture has been in place since Falcon’s inception,” the blog read.
Technical details
CrowdStrike released the following technical details:
On Windows systems, Channel Files reside in the following directory:
C:\Windows\System32\drivers\CrowdStrike\
and have a file name that starts with “C-”. Each channel file is assigned a number as a unique identifier. The impacted Channel File in this event is 291 and will have a filename that starts with “C-00000291-” and ends with a .sys extension. Although Channel Files end with the SYS extension, they are not kernel drivers.
Channel File 291 controls how Falcon evaluates named pipe1 execution on Windows systems. Named pipes are used for normal, inter-process or intersystem communication in Windows.
The update that occurred at 04:09 UTC was designed to target newly observed, malicious named pipes being used by common C2 frameworks in cyberattacks. The configuration update triggered a logic error that resulted in an operating system crash.
Channel File 291
CrowdStrike has corrected the logic error by updating the content in Channel File 291. No additional changes to Channel File 291 beyond the updated logic will be deployed. Falcon is still evaluating and protecting against the abuse of named pipes.
“This is not related to null bytes contained within Channel File 291 or any other Channel File,” the blog
“We understand how this issue occurred and we are doing a thorough root cause analysis to determine how this logic flaw occurred. This effort will be ongoing. We are committed to identifying any foundational or workflow improvements that we can make to strengthen our process. We will update our findings in the root cause analysis as the investigation progresses.”