SAN FRANCISCO, July 20 — Security experts said CrowdStrike's routine update of its widely used cybersecurity software, which caused clients' computer systems to crash globally on Friday, apparently did not undergo adequate quality checks before it was deployed.
The latest version of CrowdStrike's Falcon Sensor software was meant to make CrowdStrike clients' systems more secure against hacking by updating the threats it defends against.
However, faulty code in the update files resulted in one of the most widespread tech outages in recent years for companies using Microsoft's Windows operating system.
Global banks, airlines, hospitals, and government offices were disrupted. CrowdStrike released information to fix affected systems, but experts said getting them back online would take time as it required manually weeding out the flawed code.
"What it looks like is, potentially, the vetting or the sandboxing they do when they look at code, maybe somehow this file was not included in that or slipped through," said Security Scorecard's chief security officer Steve Cobb, whose organisation also had some systems impacted by the issue.
Problems emerged quickly after the update was rolled out yesterday, and users posted pictures of computers with blue screens on social media displaying error messages. These are known in the industry as "blue screens of death."
Security researcher Patrick Wardle, who specialises in studying threats against operating systems, said his analysis identified the code responsible for the outage.
The update’s problem was "in a file that contains either configuration information or signatures," he said.
Such signatures are code that detects specific types of malicious code or malware.
"It is very common that security products update their signatures, like once a day... because they are continually monitoring for new malware and because they want to make sure that their customers are protected from the latest threats," Wardle said.
The frequency of updates "is probably the reason why (CrowdStrike) did not test it as much," he said.
It is unclear how that faulty code entered the update and why it was not detected before it was released to customers.
"Ideally, this would have been rolled out to a limited pool first. That is a safer approach to avoid a big mess like this," said Huntress Labs principal security researcher John Hammond.
Other security companies have had similar episodes in the past. McAfee's buggy antivirus update in 2010 stalled hundreds of thousands of computers.
However, the global impact of this outage reflects CrowdStrike's dominance. Over half of Fortune 500 companies and many government bodies, such as the top United States cybersecurity agency; the Cybersecurity and Infrastructure Security Agency, use the company's software.
— Reuters
