CrowdStrike early Saturday provided additional technical information and remediation guidance to help organizations impacted by the faulty software update that triggered massive IT outages across the global economy on Friday.
The cybersecurity firm said late Friday that a routine sensor configuration update pushed to Windows systems on July 19, 2024 at 04:09 UTC triggered a logic error that blue-screened critical computer systems around the world.
In an update Saturday morning, the cybersecurity firm provided a tech alert with more information about the issue and workaround steps organizations can take.
- Channel file “C-00000291*.sys” with timestamp of 0527 UTC or later is the reverted (good) version.
- Channel file “C-00000291*.sys” with timestamp of 0409 UTC is the problematic version.
- Note: It is normal for multiple “C-00000291*.sys files to be present in the CrowdStrike directory – as long as one of the files in the folder has a timestamp of 0527 UTC or later, that will be the active content.
The company reiterated that Mac and Linux systems were not impacted by the glitch.
Remediation Information
For companies still experiencing Windows hosts that are still crashing and unable to get online to receive the required update, CrowdStike provided workaround steps.
The company also said a Dashboard is now available that displays Impacted channels and CIDs and Impacted Sensors, which is available in the Console menu at depending on your subscriptions.
Additional remediation resources and quick links from CrowdStrike and other technology vendors:
- Workaround steps for individual hosts
- Workaround steps for public cloud or similar environment including virtual
- AWS-specific documentation
- Azure environments – CrowdStrike Falcon agent guidance from Microsoft
- User Access Recovery Key in the Workspace ONE Portal
- Windows encryption management via Tanium
- Bitlocker recovery via Citrix
- Intel vPro® technology remediation guide
- CrowdStrike and Rubrik Customer Content Update Recovery For Windows Hosts
CrowdStrike Founder and CEO George Kurtz warned that adversaries and bad actors will try to exploit events like this. “I encourage everyone to remain vigilant and ensure that you’re engaging with official CrowdStrike representatives,” Kurtz wrote in a blog post. “Our blog and technical support will continue to be the official channels for the latest updates.”
The company says the issue does not affect its Falcon platform systems, and if customer systems are operating normally, there is no impact to their protection if the Falcon sensor is installed. Falcon Complete and OverWatch services were not disrupted by the faulty update.
This incident, described in the mainstream media with words such as “chaos” and “disaster”, could turn out to be one of the worst cyber failures in history.
Additional news coverage from SecurityWeek and around the web:
