A massive computer outage is currently affecting computer systems around the world. In Australia and Aotearoa New Zealand, reports indicate Computers in banks, media outlets, hospitals, transportation services, store checkouts, airports and many more have all been affected.
Today’s outage is unprecedented in its scale and severity. The technical term for what happened to the affected computers is that they were “masonryThe word refers to computers rendered so useless by the outage that – at least for now – they might as well be bricks.
The widespread outage has been linked to a software called CrowdStrike Falcon. What is it and why has it caused such disruption?
What is CrowdStrike Falcon?
Crowd strike is an American cybersecurity company that holds a significant share of the global technology market. Falcon is one of its software products that organizations install on their computers to protect them from cyberattacks and malware.
Falcon is a software known as “endpoint detection and response” (EDR). Its role is to monitor what is happening on the computers on which it is installed, looking for signs of malicious activity (such as malware). When it detects something fishy, it helps block the threat.
This means that Falcon is what we call preferred softwareTo detect signs of attack, Falcon must monitor computers in great detail, which gives it access to many internal systems. This includes communications that computers send over the Internet, as well as running programs, open files, and much more.
In this sense, Falcon is a bit like traditional antivirus software, but on steroids.
But it also needs to be able to block threats. For example, if it detects that a computer it’s monitoring is communicating with a potential hacker, Falcon needs to be able to cut off that communication. That means Falcon is tightly integrated with the core software of the computers it runs on, which is Microsoft Windows.
Why did Falcon cause this problem?
This privilege and tight integration give Falcon its power. But it also means that when Falcon fails, it can cause serious problems. Today’s failure is the worst-case scenario.
What we currently know is that a Falcon update caused a malfunction that caused Windows 10 computers to crash and then fail to restart, resulting in the dreaded “blue screen of death” (BSOD).
This is the affectionate term used to refer to the screen that appears when Windows computers crash and need to be restarted – only, in this case, the Falcon issue means that computers can’t restart without encountering the BSOD again.
Why is Falcon so widely used?
CrowdStrike is the market leader in EDR solutions. This means its products, such as Falcon, are mainstream and likely the preferred choice for cybersecurity-conscious organizations.
As today’s outage showed, this affects hospitals, media companies, universities, major supermarkets and many more. The full extent of the impact remains to be seen, but It is certainly global.
Why are personal computers not affected?
While CrowdStrike products are widely deployed in large organizations that need to protect themselves from cyberattacks, they are much less commonly used on home PCs.
This is because CrowdStrike products are tailor-made for large organizations where CrowdStrike tools help them monitor their networks for signs of attack and provide them with the information they need to respond to intrusions in a timely manner.
For home users, built-in antivirus software or security products offered by companies such as Norton and McAfee are much more popular.
How long will it take to solve this problem?
At this point, CrowdStrike has provided manual instructions on how users can resolve the issue on individual affected computers.
However, at the time of writing, there does not appear to be an automatic solution to the problem yet. IT teams at some organizations can resolve this issue quickly by simply wiping the affected computers and restoring them from backups or similar methods.
Some IT teams may also be able to “roll back” (revert to an earlier version) the affected Falcon version on computers in their organization. Some IT teams may also need to manually resolve the issue on computers in their organization, one by one.
It is to be expected that in many organizations it will take some time before the problem is fully resolved.
The irony of this incident is that security professionals have been encouraging organizations to deploy advanced security technologies like EDR for years. Yet that same technology has now resulted in a major outage the likes of which we haven’t seen in years.
For companies like CrowdStrike that sell highly privileged security software, this is a timely reminder to be extremely careful when deploying automatic updates to their products.