CrowdStrike Update Causing Chaos: Blue Screen of Death Hits Windows Systems

A recent CrowdStrike update is wreaking havoc on Windows computers worldwide, causing them to crash and display the dreaded Blue Screen of Death (BSOD). Reports indicate that companies globally, including Sky News, have been unable to reboot their systems, leading to significant disruptions.

Concerned users have taken to forums like Reddit to share their experiences, with one user stating: “Wow, stuck in a boot loop, and entire org taken out.” So, if you arrived at work this morning to find technological chaos, rest assured you're not alone. Here’s what happened and what to do next.

What Happened?

An issue with CrowdStrike’s Falcon Sensor product is causing widespread problems. CrowdStrike engineers are working on the problem, which they attribute to a faulty channel file rather than a typical update. Falcon is described as “the CrowdStrike platform purpose-built to stop breaches via a unified set of cloud-delivered technologies that prevent all types of attacks—including malware and much more.”

The IT outage has affected airports, businesses, and broadcasters. According to Sky News, planes have been grounded in the U.S., trains in the U.K. are impacted, and boarding scanners at Edinburgh airport in Scotland are down.

Microsoft reported taking "mitigation actions" after service issues began around 6 pm Eastern Time, impacting several cloud services and applications in the U.S.

The Workaround

A user named Brody, director of CrowdStrike Overwatch, posted a workaround on X

1. Boot Windows into Safe Mode or Windows Recovery Environment (WRE).
2. Navigate to C:\Windows\System32\drivers\CrowdStrike.
3. Locate and delete the file matching "C-00000291*.sys".
4. Boot normally.

What To Do Next

While there is a workaround, it’s not scalable as it requires manual application on each system. For large companies, this process could take hours or even days to complete.

Adam Harrison, managing director at FTI Cybersecurity, noted that resolving the issue will be challenging once systems are in a reboot loop. “Manual fixes are going to take time for system admins to apply: CrowdStrike can't push a new update remotely to fix. It's going to need manual intervention on each system.”

You might be able to roll back to a known good state, but for many, this option won't be available. “The fix itself is quick to perform, but when you scale that up to thousands of servers and/or thousands of workstations, it's going to be a bad day in the office for lots of folks,” said Harrison.

CrowdStrike’s Response

CrowdStrike’s primary focus now is to communicate the fix as quickly and widely as possible. Ian Thornton-Trump, CISO at Cyjax, believes CrowdStrike will pull the update and instruct the old agents not to update until the issue is resolved. “However, what has been done cannot be undone for those blue screen machines. If the machines can be booted in safe mode, they may be able to issue an out-of-band update or patch. That’s time-consuming—if the machines are critical, they might actually consider restoring from backup or a shadow copy (a built-in MSFT recovery feature).”

CrowdStrike might develop a tool to apply the fix at the disk level, such as through bootable media, which could help some organizations with large numbers of affected systems. “This would maybe help some people out who have thousands of systems to fix. It’s still not a solution that solves the problem fully remotely or at a huge scale, but it could bring recovery times down,” Harrison added.

Conclusion

The CrowdStrike update issue has underscored the vulnerabilities inherent in digital security systems and the massive impact a single update can have. While the workaround offers a temporary fix, the broader challenge remains in efficiently and swiftly addressing such widespread disruptions. Businesses are reminded of the importance of robust contingency plans and the need for rapid, clear communication during such crises.