CrowdStrike has revealed its initial findings into what was behind the recent incident affecting millions of Windows devices around the world.
In a preliminary Post Incident Review (PIR), the company acknowledged a significant issues caused by a content configuration update, leading to a mass Windows ecosystem crash on July 19.
The incident, which was believed to have affected 8.5 million Windows machines, occurred after a routine update intended to enhance telemetry for detecting novel threat techniques. In this case, the problematic update led to out-of-bounds memory reads, causing the infamous blue screen of death.
CrowdStrike offers more detail about the recent outage
The issue impacted Windows hosts running sensor version 7.11 and above that were online between 04:09 and 05:27 UTC on the day of the incident.
CrowdStrike CEO George Kurtz issued an apology, emphasizing that this was not the result of a cyberattack but rather an internal software problem. He reassured customers that measures are being taken to prevent similar issues in the future.
The root of the problem lies in the Rapid Response Content, designed to dynamically update threat detection capabilities without altering the sensor code. The problematic update included two new IPS Template Instances intended to detect attacks exploiting Named Pipes.
However, due to a bug in the Content Validator, one of these instances with faulty data passed through the validation process, causing the crashes.
In response to the recent, widespread problems, CrowdStrike’s PIR outlines several steps to enhance testing and deployment processes to prevent recurrence, including more rigorous testing, staggered deployment, improved monitoring and giving customer more control over their updates.
Additionally, further details are promised to be provided in the full Root Cause Analysis, which the company has committed to releasing publicly. In the meantime, CrowdStrike says it’s working with affected customers to continue restoring normal operations.