Faulty Windows Update from CrowdStrike Hits Banks and Airlines Around the World

[Wirko]

There are automated ways to fix it in some environments. The problem is drive encryption..

Another problem is PCs that won't boot.

Although ... isn't there a thing called Intel Management Engine, which system admins can use to access disks and everything on a PC even if it's turned off or unable to boot?

 

[P4-630]

This was 100% caused by CrowdStrike and not Microsoft.

Global outage due to CrowdStrike Falcon-package failure affecting Windows.

 

[mab1376]

Another problem is PCs that won't boot.

Although ... isn't there a thing called Intel Management Engine, which system admins can use to access disks and everything on a PC even if it's turned off or unable to boot?

I've never seen anyone put in the effort to set that up. in my experience, the teams usually just rely on stuff like Endpoint Central, Ivanti management suite, etc.

 

[Easy Rhino]

Am I understanding that because CrowdStrike installs at the Windows kernel level it has broken Windows computers and not Mac and Linux? Mac and Linux OS devs are smart enough to not allow something as horrible as AV software into the kernel and rather restrict it to user space?

 

[mab1376]

Am I understanding that because CrowdStrike installs at the Windows kernel level it has broken Windows computers and not Mac and Linux? Mac and Linux OS devs are smart enough to not allow something as horrible as AV software into the kernel and rather restrict it to user space?

Kernel-level is what makes them able to detect/remove active malware so effectively. It's not AV per-se it's EDR.

e.g. CrowdStrike Detects Dell Driver Vulnerability CVE-2021-21551

 

[Onasi]

@Easy Rhino
Falcon is a kernel extension/system extension on all supported platforms, from my understanding. It needs to be to be effective. No, it’s not an AV strictly speaking. It has nothing to do with developers of any OS. This is just a specific case where the Windows update package was shipped scuffed.

 

[Selaya]

crowdstrike, nomen est omen!

 

[HTC]

Question: while the original problem seems to be caused by CrowdStrike, doesn't the fact that it cripples Windows ALSO make it a Windows problem?

Perhaps i'm misinterpreting it, but it seems to me Windows Update had a problem, and CrowdStrike EXPOSED IT, with their faulty update.

 

[Easy Rhino]

Kernel-level is what makes them able to detect/remove active malware so effectively. It's not AV per-se it's EDR.

e.g. CrowdStrike Detects Dell Driver Vulnerability CVE-2021-21551

@Easy Rhino
Falcon is a kernel extension/system extension on all supported platforms, from my understanding. It needs to be to be effective. No, it’s not an AV strictly speaking. It has nothing to do with developers of any OS. This is just a specific case where the Windows update package was shipped scuffed.

Right, it is EDR. But does Windows HAVE to install this at the kernel level to be as effective as say OSX or Linux installing it in userspace? That is an OS design decision, isn't it?

 

[Darmok N Jalad]

At least one of my local news stations has been down since 5:30 this morning. They reported on their website it's related to this issue. Whoboy, sure seems like a giant mess.

 

[Onasi]

Right, it is EDR. But does Windows HAVE to install this at the kernel level to be as effective as say OSX or Linux installing it in userspace?

Why are you assuming that OSX or Linux install them in userspace? Hint: they don’t. Linux one is also a kernel driver and the OSX one is a system extension (analogous to kernel driver for OSX).

Perhaps i'm misinterpreting it, but it seems to me Windows Update had a problem, and CrowdStrike EXPOSED IT, with their faulty update.

WinUpdate has absolutely nothing to do with the issue at hand.

 

[bug]

Oh good, the Linux idiots have arrived to shit on things they have zero understanding of.

If you mean me, I originally replied to the part where you have to go in and manually delete some file. Only later I connected the dots to the PCs actually failing to boot. My bad.

(Fwiw, my only beef with Windows is that, as a software developer, I get it shoved down my throat because of AD, despite it being the worst pick of the bunch for actual software development. It's great for a lot of other things, I run both Win and Linux myself.)

 

[P4-630]

WinUpdate has absolutely nothing to do with the issue at hand.

Right.

due to CrowdStrike Falcon-package failure affecting Windows.

 

[mab1376]

Right, it is EDR. But does Windows HAVE to install this at the kernel level to be as effective as say OSX or Linux installing it in userspace?

their Linux sensor is kernel mode or user mode, but the kernel needs to be recompiled with 5 additional flags for user mode to work.

CONFIG_BPF=y
CONFIG_BPF_SYSCALL=y
CONFIG_DEBUG_INFO_BTF=y
CONFIG_BPF_EVENTS=y
CONFIG_BPF_JIT=y

CrowdStrike Falcon Sensor - Red Hat Ecosystem Catalog

With macOS 10.5.x, Apple announced that they will no longer support kernel extensions (kext) for third-party developers.

CrowdStrike completely re-wrote the macOS sensor from the ground up for Catalina to use the user-mode APIs.

 

[Easy Rhino]

Why are you assuming that OSX or Linux install them in userspace? Hint: they don’t. Linux one is also a kernel driver and the OSX one is a system extension (analogous to kernel driver for OSX).

Interesting. So it's a Microsoft problem then because OSX and Linux are not impacted.

 

[Lycanwolfen]

Ahhhh Remember when all Computers had the Tap the F8 and you had the menu to boot into safe mode. Then Microsoft removed this feature on all computers since windows 8 and 10 and 11. Remember that good ole last known good configurations.

I have it enabled all all our machines on the network just in case something like this happens. I think ahead.
bcdedit /set {default} bootmenupolicy legacy

It works on all systems even ones with secure boot. It does not affect the boot processs any it's just there for emergencies when you need it most.

All the people in my life that called I just said tap F8 and wait for menu and then goto Last know Good Config. All working fine now.

Cheers all

 

[Onasi]

Interesting. So it's a Microsoft problem then because OSX and Linux are not impacted.

No. It’s a CrowdStrike problem. The packages for different OS are different. That should be obvious. They scuffed the Windows one. That’s all there is to it. Stop it already with the “blame MS regardless of the situation”, it’s tiresome. They have plenty of reasons to be mad at, but this isn’t one.

 

[Easy Rhino]

No. It’s a CrowdStrike problem. The packages for different OS are different. That should be obvious. They scuffed the Windows one. That’s all there is to it. Stop it already with the “blame MS regardless of the situation”, it’s tiresome. They have plenty of reasons to be mad at, but this isn’t one.

Calm down. I think you are upset. I am not blaming M$, I am trying to figure out what happened...

 

[Neo_Morpheus]

So far, the solution needs to be done on each endpoint.

But since many of those have bitlocker enabled, you need to access AD for each one, but…those servers hosting the keys are also down.

There will be a lot of reimaged PCs.

About the Win vs Linux vs MacOS, i think that only Windows allow such access to the kernel, hence why anticheat rootkits cant run in Linux when using Proton for Win games.

 

[Onasi]

@Easy Rhino
The only thing I am upset at is abysmal levels of reading comprehension on a tech enthusiast site, honestly. In general, not with you personally. What happened is clear. CrowdStrike even published a statement. Of course, what EXACTLY has been scuffed in the package wasn’t disclosed for obvious security reasons.

 

[Wirko]

Here's where I am unable to connect the dots, please help me:
1. A corrupted boot loader causes a BSOD (without rebooting, I assume)
2. But the corrupted boot loader doesn't prevent the PC from booting in safe mode.

 

[mab1376]

Interesting. So it's a Microsoft problem then because OSX and Linux are not impacted.

I think they're separate code bases, so they wouldn't have been affected regardless.

 

[CyberPomPom]

Calm down. I think you are upset. I am not blaming M$, I am trying to figure out what happened...

Interesting. So it's a Microsoft problem then because OSX and Linux are not impacted.

Uhh? Why would you write it's a Microsoft problem if you're not considering them responsible or putting the blame on them?

 

[Easy Rhino]

@Easy Rhino
The only thing I am upset at is abysmal levels of reading comprehension on a tech enthusiast site, honestly. In general, not with you personally. What happened is clear. CrowdStrike even published a statement. Of course, what EXACTLY has been scuffed in the package wasn’t disclosed for obvious security reasons.

The information is still fresh for most people waking up on the east coast of the US. Plus, most people here are just into overclocking and gaming and are not really into the whole enterprise security scene. It is important to not jump to conclusions about motives when people ask questions.

Uhh? Why would you write it's a Microsoft problem if you're not considering them responsible or putting the blame on them?

It is called "making a statement" which invites a response for clarity. I am not afraid to be wrong like some people.

 

[mab1376]

Uhh? Why would you write it's a Microsoft problem if you're not considering them responsible or putting the blame on them?

TBF if Microsoft offered user-mode APIs into kernel events, it wouldn't be necessary to install a kernel driver.