DEV Community

Cover image for CrowdStrike Blew Up the Internet
Dan
Dan

Posted on

CrowdStrike Blew Up the Internet

Bad code broke a million Windows machines...

Yesterday millions of Windows computers got BRICKED around the world thanks to an update pushed by enterprise cybersecurity firm CrowdStrike. Airports are shutting down, hospitals are unable to treat patients, and banks are not able to get your money.

Image description

Let's dig deeper into the technical side of this disaster and find out how such a catastrophic mistake can even happen in the modern work:

A huge number of fortune 500 companies use CrowdStrike for cybersecurity, its primary product is called "Falcon". Falcon is a tool that provides ENDPOINT protection using artificial intelligence and analytics to detect threats in real time. It is publicly traded, and its stock is down right now because everybody is blaming them for the BSOD.

Image description

Luckily MacOS and Linux chads are unaffected, to understand why we first need to understand how CrowdStrike's Falcon Sensor actually works. Falcon is installed just like regular software but integrates with the OS at a low level often using kernel mode drivers and sits there in the background looking for threats. So basically, it is a third-party software sitting in the critical path of a computer. If it fails, the entire computer might fail.

Image description

Apparently, some automated software update yesterday had some bad code in it and every computer that got that update is now dead. Part of the reason this is bad, is that it's not a normal outage but every affected computer needs rebooted into safe mode so that the driver can be removed manually.

However, they were quick to fix it...

The fix is really EASY. All you have to do is the following:

  • Detach the OS Disk
  • Create a Snapshot of the disk
  • Mount a Volume to new virtual server
  • Find driver (%WINDIR&\System32\drivers\CrowdStrike)
  • Delete the bad file (C-00000291*.sys)
  • Detach Volume from virtual server
  • Reattach volume to impacted server

Piece of cake... but option 2 is to go buy a hammer and use it to uninstall windows and install Linux.

Image description

What everyone failed to realize is that giving one company kernel access to the computer of most companies might actually be a bad idea, because it only takes 1 automatic update with a misplaced 0 to nearly destroy the entire world.

Image description

Image of Docusign

Bring your solution into Docusign. Reach over 1.6M customers.

Docusign is now extensible. Overcome challenges with disconnected products and inaccessible data by bringing your solutions into Docusign and publishing to 1.6M customers in the App Center.

Learn more

Top comments (0)

Speedy emails, satisfied customers

Postmark Image

Are delayed transactional emails costing you user satisfaction? Postmark delivers your emails almost instantly, keeping your customers happy and connected.

Sign up

๐Ÿ‘‹ Kindness is contagious

Immerse yourself in a wealth of knowledge with this piece, supported by the inclusive DEV Communityโ€”every developer, no matter where they are in their journey, is invited to contribute to our collective wisdom.

A simple โ€œthank youโ€ goes a long wayโ€”express your gratitude below in the comments!

Gathering insights enriches our journey on DEV and fortifies our community ties. Did you find this article valuable? Taking a moment to thank the author can have a significant impact.

Okay