Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

CrowdStrike Says Global IT Outage Impacting Windows PCs, But Mac and Linux Hosts Not Affected

jakey rolling said:
Exactly how are third party drivers on Linux and macOS handled "totally different to Windows?" This isn't your run-of-the-mill device driver, this is a security program that inserts itself into the boot process and requires the lowest-of-low level OS access in order to function properly. If you're saying that Linux and macOS do not provide that access to the software, then you're also saying that the software cannot provide the same level of security protection on Linux or macOS as it can on Windows. Considering how relatively unlikely an event like this is (unlikely, but not impossible, obviously), and how much more likely security attacks are, this doesn't actually make macOS or Linux the better solution that you think it does.


If those end-user machines were using 100% cloud-based services, there would not be the kind of outages that you see today, because you are right - it would have been very quick to swap out computers and have users log in and continue with their work (whether they were using macOS or Windows or any other system). The fact that this is such a widespread issue keeping so many users down should tell you that, no, most end-users are not using 100% cloud-based software.

If this was an outage only affecting users whose computing requirements were so simple that they could use a Macbook Air, this wouldn't have been a newsworthy incident in the first place.
Click to expand...
I believe with APFS the kernel and core parts of the OS are in an isolated partition that is snapshot and locked down. Been a while since I read the change as it was when APFS was first introduced.

And that is the problem. If something like a third party app is required to ensure the health of Window’s kernel is secure, that is a problem with the design.
 
  • Like
  • Disagree
Reactions: MDTyKe, davide_eu and Iwavvns
Timo_Existencia said:
This. All of you saying "it's not Microsofts fault!" are missing the point entirely.

If Windows allows kernal access to 3rd party apps that have the ability to shut down your entire system with a single automated update, that's on Microsoft. Period. Full stop.

Others have mentioned that Crowdstrike works on Macs too; but can Crowdstrike access the core of the Mac OS in this same way? I can't ever remember a 3rd party app that brought down my entire Mac.

...and for those of you saying that the DMA and the EU can't have this affect...this is at the heart of why I oppose the DMA. The EU is putting their fingers into the core of OS operations.
Click to expand...
Guess what? That’s how it works on Linux too!! Do you think AV in Linux/OSX doesn’t attach to the kernel? And AV software has to update daily or it’s quite pointless. If tomorrow Trend Micro, Palo Alto, Rapid7, etc puts out a bad patch and kernel panics systems what are you going to say? It’s just as likely.
 
  • Like
  • Disagree
Reactions: Riot Nrrrd, wyrdness, davide_eu and 1 other person
Stromos said:
Are you saying companies should write their own security software? This is the worst take I have ever heard. If you don’t understand technology sit this one out. No company is writing their own OS, web engines, security software, etc. There are many pieces of software that are used across thousands of companies. They aren’t “cheap” either.
Click to expand...
They do not write their own software (not more than I write mine) but they are in charge of verifying before accepting an update. They must understand what they are doing. And we are not speaking of a small company or a start-up, we are speaking mega corporations with lots of admin people for lots of reasons (fiscal, legal ...), they can pay for good IT people who understand their business and control it.
 
Mrkevinfinnerty said:
Troubleshooting steps

1. Shut down your PC
2. Get a mac.
Click to expand...
This is the normal reaction of people here in the forum, who first post and than - maybe - start thinking.
People, who can choose between windows and mac, are usually not customers of crowdstrike.
Apple doesn't produce server software. There is the choice between Windows and Linux and zou can get both from Microsoft.
There is no reason to believe that other OSes are save from such glitches by 3rd parties. As well that is poor luck that US companies are less affected, because when business started there, the problem was already solved.
 
  • Like
  • Love
Reactions: dekadent, davide_eu and cjsuk
Cirillo Gherardo said:
Eh, no. The issue is Windows being a giant piece of ****. And it always has been. Had the same issue been deployed on a Mac, it would have isolated the problem to the program, not BSOD the entire machine.
Click to expand...

They could have implemented it the same way on NT but they didn’t because Microsoft lets you load drivers on a signed system.

Of course the moment Microsoft stops people doing that they get crapped on entirely forgetting that macOS already does that.

And I still have to use windows because the software I need doesn’t work on macOS and I can’t afford a Mac with 256Gb of RAM…
 
  • Haha
Reactions: Cirillo Gherardo
MNGR said:
I worked in IT for over 60 years. Managed Win* clients and servers, networks, 'ix, Solaris, SunOS, ....
Systems and networks have become much more complex. Hackers have much better tools.
So defensive mechanisms have to keep up.

What I don't understand is why this wasn't discovered by CS during testing before deployment.
Click to expand...
Exactly. I could have some sympathy for some singular alternative configuration. Or actually not as this level of software should cover that off as well. But causing an outage through a bad configuration being deployed like this on a global scale is unforgivable. One doesn’t need to know the ins and outs to realise they clearly did not have the correct controls in place in that organisatie. For a company like that, that is just insane.
 
  • Like
Reactions: jamezr
chris1958 said:
This is the normal reaction of people here in the forum, who first post and than - maybe - start thinking.
People, who can choose between windows and mac, are usually not customers of crowdstrike.
Apple doesn't produce server software. There is the choice between Windows and Linux and zou can get both from Microsoft.
There is no reason to believe that other OSes are save from such glitches by 3rd parties. As well that is poor luck that US companies are less affected, because when business started there, the problem was already solved.
Click to expand...
Chillax, there is no reason to not find it hilarious and funny... No one who comes here is a world leader, this is just for fun...

As well that is poor luck that US companies are less affected, because when business started there, the problem was already solved.

Eh not so fast sparky, there is a huge backlash because of this... a lot of people all over the world not just US based are still mitigating this...

Heads will roll. Everyone get your checkbooks ready...
 
oneMadRssn said:
Microsoft deserves a little bit of crap for having a system that cannot even boot in the situation of trying to load a buggy driver - it should be smart enough to isolate and not load a driver that is causing problems. If it could at revert to some bootable state with network access, then the systems would be fixable remotely or automatically.
Click to expand...

Actually they do. But Crowdstrike injects itself into UEFI and reloads itself completely bypassing that.
 
  • Like
Reactions: davide_eu
kk200 said:
by following crowdstrike failure on linux I read this recommendation

"Make sure you're running in user mode (eBPF) instead of kernel mode (kernel module), since it has less ability to crash the kernel. This became the default in the latest versions and they say it now offers equivalent protection."

Such kind of user-land infrastructure is exactly what MS needs to provide on windows ....
Click to expand...

eBPF does exist on windows. Crowdstrike don’t do it because they hook NT API. Also DTrace exists on windows as well.

github.com

GitHub - microsoft/ebpf-for-windows: eBPF implementation that runs on top of Windows

eBPF implementation that runs on top of Windows. Contribute to microsoft/ebpf-for-windows development by creating an account on GitHub.
github.com github.com
 
Cirillo Gherardo said:
Eh, no. The issue is Windows being a giant piece of ****. And it always has been. Had the same issue been deployed on a Mac, it would have isolated the problem to the program, not BSOD the entire machine.
Click to expand...
As much as I would like to blame the big ol'windblows, it really wasn't the OS's fault. Root Cause was an update that came from Crowdstrike, it tickled windows funny and things broke.

What I want to know is how an update like this broke down windows. Must be something in their ERP detection rules or something to that nature.
 
  • Disagree
  • Like
Reactions: Riot Nrrrd and cjsuk
TheOldChevy said:
They do not write their own software (not more than I write mine) but they are in charge of verifying before accepting an update. They must understand what they are doing. And we are not speaking of a small company or a start-up, we are speaking mega corporations with lots of admin people for lots of reasons (fiscal, legal ...), they can pay for good IT people who understand their business and control it.
Click to expand...
It is, was recommended practice to not do that for this. In a good configuration you should take at least every four hours security updates. This is classic risk management, typically the risk of not taking such security updates is greater than the risk of not testing it yourself. But, and these events are very rare, in this event for this company it wasn’t. I don’t think the risk profile materially changes. I would likely temporarily raise it, and demand more clarity and evidence from the companies involved opposed to relying on their credentials.

This will not only have consequences for Crowdstrike but also of those independent auditors and accreditations firms checking their processes.

It should be one of those rare existential risks on their corporate register that unfortunately happened.
 
Vulkan said:
As much as I would like to blame the big ol'windblows, it really wasn't the OS's fault. Root Cause was an update that came from Crowdstrike, it tickled windows funny and things broke.

What I want to know is how an update like this broke down windows. Must be something in their ERP detection rules or something to that nature.
Click to expand...

It’s the thing that parses the rules apparently which runs in kernel. It was a badly formatted ruleset that triggered the problem. It pissed all over RAM and annoyed the MMU forcing a trap/BSOD.

End game is crap code running in privileged kernel space receiving god knows what from god knows who which takes your node out. Sounds like malware, no?
 
TheOldChevy said:
They do not write their own software (not more than I write mine) but they are in charge of verifying before accepting an update. They must understand what they are doing. And we are not speaking of a small company or a start-up, we are speaking mega corporations with lots of admin people for lots of reasons (fiscal, legal ...), they can pay for good IT people who understand their business and control it.
Click to expand...
Ok once again this wasn’t a windows update it was a security definition update. So when the next zero day comes out how long should a company stay vulnerable to said zero day before they patch? If they run patches in dev once a week then patch prod the following week and get compromised in that timeframe what will you say then?
 
  • Like
Reactions: cyb3rdud3
I think the Internet should go down for a few days at a time, randomly. This way people will stop relying on it so much and instead go outside and enjoy fresh air, blue sky and actually using their brains. We rely way too much on technology these days. How many years did humans survive just fine on this planet before computers came along?
 
  • Love
  • Like
Reactions: Pezimak and rjjacobson
I bet the maker of the WannaCry virus is doing the 'We're not worthy' move from Wayne's World to the person responsible for causing this global screw up.

This will have government security agencies around the world in a panic due to how a simple error/mistake or a file/program code caused a global shutdown of banks, other financial industries, education establishments, retail, transportation, air traffic control and many others.

This global issue will also get governments asking the maker of the software how did such an error get through the companies checking systems because if can happen once it can most certainly happen again.
 
Iwavvns said:
I think the Internet should go down for a few days at a time, randomly. This way people will stop relying on it so much and instead go outside and enjoy fresh air, blue sky and actually using their brains. We rely way too much on technology these days. How many years did humans survive just fine on this planet before computers came along?
Click to expand...
Youre not entirely wrong about humanity needing to go outside every few days...

The problem now comes from the fact that nearly every single aspect of our daily lives is so dependent upon the internet. For example, I'm tracking a few dozen wildfires in Oregon to see if they're going to be a problem for my neck of the woods. Without the internet, I wouldn't be able to stay on top of potentially life-threatening issues such as wildfires unless I was right in the middle of them.

But, if we're speaking philosophically, humanity returning to nature and removing the shackles of computers would be great for everyone since eventually all of us are going to take a dirt nap at one point or another so why worry about what computer systems the entire planet uses. Everything has an expiration date so yeah, go outside while you can.
 
  • Like
Reactions: Iwavvns and rjjacobson
Vulkan said:
The Windowspocalypse... The End of Crowdstrike...

macOS and Linux rejoice!

Tim Cook has to be ear to ear grinning.
Click to expand...
Back a few years there was a similar example of a large company's CIO who lost his job, because he deployed the latest MS patches which were not compatible with the companies cybersecurity software used. Every windows PC on their intranet including some servers crashed and blue screened. The pairing of regular updates for windows and cybersecurity is not always timed well enough to allow IT staff to pre-test deployments. Today's example will likely see a lot of IT people cursing both MS and Crowdstrike.

There is another scenario that also happens when users are working on windows desktop/laptops later at night where they notice their PC's are running slow and reboot without thinking as a server pushed patch is being installed rendering their computers non bootable afterwards.

Yes Macs or Linux usually don't see the same IT situations.
 
Last edited:
  • Love
Reactions: wilhoitm
Stromos said:
Guess what? That’s how it works on Linux too!! Do you think AV in Linux/OSX doesn’t attach to the kernel? And AV software has to update daily or it’s quite pointless. If tomorrow Trend Micro, Palo Alto, Rapid7, etc puts out a bad patch and kernel panics systems what are you going to say? It’s just as likely.
Click to expand...
Then I'd hold Apple responsible for creating a system that can be bricked by a random update from a 3rd Party.

I'm not entirely understanding the "Microsoft did nothing wrong!" meme. The global computing system just experienced a huge service outage and you all want to pretend the the system that allowed it to happen can do nothing about it? That if tomorrow another company puts rogue code into a software update this happens all over again?

Microsoft bears more responsibility for this than Crowdstrike, IMO. Just as I'd say Apple bears more responsibility in a similar situation. (and why I detest the EU et al putting their fingers into OS development).
 
  • Disagree
Reactions: cyb3rdud3
All our computers were down this morning and we had to write customer orders on paper slips. People were turned away because we could only take cash.
What a mess. The delete file fix came later when I was leaving.
I can see how hackers will exploit this saying to fix it replace this file with this new one giving them root access.
We were given server access with the password sent via email. Now they will have to change all the passwords. Ugho_O
 
Vulkan said:
As much as I would like to blame the big ol'windblows, it really wasn't the OS's fault. Root Cause was an update that came from Crowdstrike, it tickled windows funny and things broke.

What I want to know is how an update like this broke down windows. Must be something in their ERP detection rules or something to that nature.
Click to expand...
Nonsense. A third party app update on a Mac is not going to cripple the machine and prevent it from booting. It is a Windows problem.
 
  • Like
  • Disagree
Reactions: davide_eu and Tokenfreak
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back