CrowdStrike outlines just what went wrong with its update — as many systems around the world are now back up

(Image credit: Shutterstock / rafapress)

On 19 July, CrowdStrike pushed an update to Windows systems that caused a blue-screen-of-death (BSOD) across millions of devices running the OS across the world, resulting in widespread outages across banking, airports, and health services.

The company fixed the issue the same day, and in a LinkedIn post, said of the approximately 8.5 million Windows devices thought to be impacted, "a significant number" are now back online and operational.

What happened?

CrowdStrike pushed a sensor configuration update for Windows systems that caused a logic error, resulting in the infamous BSOD. Any computer that was running Falcon sensor for Windows version 7.11 and above that was online from when the update was pushed live to when the update was ceased may have been affected.

The update was live for just 1.3 hours, but the damage was already done to millions of Windows devices that automatically updated.

“The configuration files mentioned above are referred to as “Channel Files” and are part of the behavioral protection mechanisms used by the Falcon sensor,” CrowdStrike said in a statement. “Updates to Channel Files are a normal part of the sensor’s operation and occur several times a day in response to novel tactics, techniques, and procedures discovered by CrowdStrike. This is not a new process; the architecture has been in place since Falcon’s inception.”

CrowdStrike further explained that the logic error was caused by content in Channel File 291, which is responsible for controlling how the Falcon sensor evaluates named pipe execution. “Named pipes are used for normal, interprocess or intersystem communication in Windows,” the statement continued. “The update that occurred at 04:09 UTC was designed to target newly observed, malicious named pipes being used by common C2 frameworks in cyberattacks.”

Linux and macOS systems were not affected by the Falcon update as they do not use Channel File 291. CrowdStrike urged customers to contact them directly if they have specific support needs, and to consult their blog and Support Portal.

More from TechRadar Pro

These are the best internet security suites
Kaspersky gives US customers six months free security software as a farewell
Take a look at our guide to the best endpoint protection

Benedict has been with TechRadar Pro for over two years, and has specialized in writing about cybersecurity, threat intelligence, and B2B security solutions. His coverage explores the critical areas of national security, including state-sponsored threat actors, APT groups, critical infrastructure, and social engineering.

Benedict holds an MA (Distinction) in Security, Intelligence, and Diplomacy from the Centre for Security and Intelligence Studies at the University of Buckingham, providing him with a strong academic foundation for his reporting on geopolitics, threat intelligence, and cyber-warfare.

Prior to his postgraduate studies, Benedict earned a BA in Politics with Journalism, providing him with the skills to translate complex political and security issues into comprehensible copy.