CrowdStrike Says Global IT Outage Impacting Windows PCs, But Mac and Linux Hosts Not Affected

[davide_eu]

I don't believe Apple grants third parties access to the kernel in the way MS did here. Worse here, was MS admitted that they do not review and/or certify the updates. That, to me, is a massive failure on Microsoft's front.

Stop blaming Microsoft if you are not informed.

As SYSADMIN you can install 3rd parties software. So it is not Microsoft granting, it is the owner of the server who trusted a third party (Crowdstrike) to have access the kernel. So blame the SYSADMIN, not Microsoft.

Microsoft doesn't certify that update because it is not their update.

So please, next time, before posting get informed.

 

[TriBruin]

Antivirus? Haven’t heard this word for such a looong long time

I hope you realize that an Enterprise Level security stack is WAY more than just Anti-Virus? It is designed to protect the organization from both external and internal threats.

At minimum a good security stack is going to have:

• AntiVirus/AntiMalware
• Phising protection
• Data Exfiltration Protection
• Device compliance evaluation.
• Network SSL inspection.

Security in the Enterprise is way different than a home user's needs. Not only are the threats bigger they come from all sources. Security against internal threats is critical. The user that just got a meeting invite to meet with HR needs to be blocked from download all the company's customer data. The IT tech that just got passed over for a promotion? He needs to be restricted from access certain servers.

And, like it or not, a lot of this is driven by Security, Insurance, and Compliance requirements. If you want CyberInsurance, you MUST implement a heck of a lot of security requirements.

 

[davide_eu]

Windows allowed Crowdstrike to take control of Windows booting process.
Crowdstrike messed up but windows should get the blame too.

Not Windows! The SYSADMIN of the server allowed Crowdstrike to take control of the boot process.

 

[TriBruin]

Stop blaming Microsoft if you are not informed.

As SYSADMIN you can install 3rd parties software. So it is not Microsoft granting, it is the owner of the server who trusted a third party (Crowdstrike) to have access the kernel. So blame the SYSADMIN, not Microsoft.

Microsoft doesn't certify that update because it is not their update.

So please, next time, before posting get informed.

I think Microsoft definitely needs to be looking at what happened and why their O/S failed. From what I have seen, this appears to have been a definitions update (which is automatic) and not an agent patch (which CS admins can control in their own environment). Crowdstrike and MS will have to work together for the root cause.

For those saying companies should never apply patches without testing first. If this, as I suspect, was a definitions update, then it makes sense that it was silent. XProtect on macOS is the exact same. Those updates are silent as well. (Granted, they should never take the whole system down.)

 

[avro707]

Not sure why people are crapping on Microsoft here. The issue is crowdstrike. They have Linux and Mac versions of Falcon sensor too. They just happened to screw up the windows version today and push it to production past everyone’s security controls.

This could be Apple or Linux tomorrow.

We were lucky, our windows machines kept running without problem. Only one platform had a problem but it wasn’t a showstopper.

This isn’t a Mac -v- PC thing. It’s fun to do click bait but in this case it’s not relevant.

 

[bzgnyc2]

I don't believe Apple grants third parties access to the kernel in the way MS did here. Worse here, was MS admitted that they do not review and/or certify the updates. That, to me, is a massive failure on Microsoft's front.

This is an absolutely amazing time to be a tech lawyer.

Apple doesn't grant or not grant access to the kernel. Most software on both platforms sits in "user land". If 3rd parties can't accomplish their goals in "user land" they have to write device drivers, kernel extensions, etc. More recent MacOS also has "system extensions" which are a bit more sandboxed. I bet Windows has something similar.

Where the two differ is culture and history. It's more commonly accepted that Windows software runs all over the computer changing what it wants, adding device drivers or kernel extensions, etc. On the Mac, the need for this is much less so such system changes require more acknowledgment/approval by the user. Legitimate need is probably most common among Mac Pro users.

Unfortuantely this Windows mindset also infects software that gets ported over to the Mac. Software like Microsoft Office and Tableau like (or in the case of MS insists) to install their auto-updaters and license management services running as a privileged user. Any software running with root privileges has the chance to crash the computer if it wants to. Much less likely if it is in user land but not impossible. That's why the increasing number of background services running as root and installers that insist on installing as Admin so they can install their unnecessarily privileged background services annoys me.

 

[jakey rolling]

For those saying companies should never apply patches without testing first. If this, as I suspect, was a definitions update, then it makes sense that it was silent. XProtect on macOS is the exact same. Those updates are silent as well. (Granted, they should never take the whole system down.)

From what I've read, this is pretty accurate: it was a definition update and not a code update which would explain why most IT departments would have either let it install immediately or Cloudstrike would have by default been set to update immediately without user intervention.

The way the issue is described, the bad definition caused Cloudstrike to erroneously target an essential system file and block it from being accessed/executing during the boot process. Essentially the computer version of an autoimmune disorder.

 

[Colpeas]

Somebody's getting very fired for this.

 

[MacBH928]

As a software engineer who has been through many releases, some better than others, I can imagine the chaos going on behind the scenes. Of course I feel for all those impacted too.

why flaws in software like this happen? is it just human error or carelessness?

security software fail is catastrophic, imagine a bank system or an army security system

 

[keithdoc]

I'm surprised no one has blamed Tim Cook for this.

Don't you mean Tim Apple?

 

[kkee]

The fault of Microsoft is they allow for third party access to their kernel while Apple will never allowed any root access (not if EU has a say). Crowdstrike release an update, Windows for it’s silly coding somehow reject it and cause endless looping. Meanwhile Mac receive the same update and yet it is perfectly fine.

Still not a Microsoft fault?

 

[falainber]

The fault of Microsoft is they allow for third party access to their kernel while Apple will never allowed any root access (not if EU has a say). Crowdstrike release an update, Windows for it’s silly coding somehow reject it and cause endless looping. Meanwhile Mac receive the same update and yet it is perfectly fine.

Still not a Microsoft fault?

You have no clue. The update of the threat definitions erronously marked a valid Windows system file thus affecting Windows. If it was a system macOS file this problem would have happened to Macs but not PCs.

 

[bzgnyc2]

The fault of Microsoft is they allow for third party access to their kernel while Apple will never allowed any root access (not if EU has a say). Crowdstrike release an update, Windows for it’s silly coding somehow reject it and cause endless looping. Meanwhile Mac receive the same update and yet it is perfectly fine.

Still not a Microsoft fault?

That's false. On the Mac, anyone can access root on their own system pretty easily. Plus Mac apps that requires their Installer to run as an Admin user can install Launchthingies that run with privilege.

This is not good practice and I am always suspicous of Apps to claim they require this privilege.

This is besides the 100+ "services" that MacOS runs as root during normal operation.

Also note not only has Apple always allowed root access, it has prevoiusly allowed kernel extensions (kext). These are now more strongly discouraged via more hoops for the user/installer to jump through to enable them. In exchange they make it easier to add "system extensions". However, don't assume a foobar system extension won't foobar your system. Just less likely.

By the way, nothing to do with the EU. The EU is not going to regulate MacOS anytime soon. Windows however...

 

[bzgnyc2]

From what I've read, this is pretty accurate: it was a definition update and not a code update which would explain why most IT departments would have either let it install immediately or Cloudstrike would have by default been set to update immediately without user intervention.

The way the issue is described, the bad definition caused Cloudstrike to erroneously target an essential system file and block it from being accessed/executing during the boot process. Essentially the computer version of an autoimmune disorder.

Thanks that's the first explanation that has made sense. Do you know for sure if this only impacted Windows 10 systems or both Windows 10 and 11?

 

[RumorChaser]

This only affected machines that were powered up when they pushed stuff out. They fixed it quickly but this was enough to destroy a ton of servers across the planet.

Have been up since 5AM….

I will let you in on a secret. Since 2020 Microsoft has been (re-)pushing a feature called modern sleep, which means the computer does not sleep, and stays connected to WiFi with the CPU in the lowest frequency active state. This time, they strong armed the OEMs to not only make modern sleep the default but also to remove S3 entirely from system firmware. So when people just close the lid or leave their workstation at the end of the work day, their computers are still active, running stuff periodically, and potentially bricking itself over the night.

Let's also not forget it was day time in other parts of the world. People were actively working on their computers when this happened.

 

[Ctrlos]

None of this is the fault of auto-anything or let all access to Windows. Somebody (as in a person) pushed out something that bypassed update policies designed so companies always run behind the newest version. Someone, somewhere is going to get fired.

The current solution is to boot into safe mode and delete a file in System32 which has to be done for every single PC and server blade. It’s going to take weeks to fix. Cloudstrike’s stock is going to tank.

Let’s not pretend the almighty Apple are immune to this sort of shenanigans. It’s not on the same scale but that photomancy update in 17.5 put the fear into a lot of people.

Macs are just as vulnerable as Windows machines when it comes to this. As a user you have access to all sorts of parts of the system. Only yesterday I had to boot into recovery and use the Terminal to write a new URL to the VRAM so it would pick up the right High Sierra download. If you don’t know what you doing you can screw up all sorts of things.

 

[RumorChaser]

Stop blaming Microsoft if you are not informed.

As SYSADMIN you can install 3rd parties software. So it is not Microsoft granting, it is the owner of the server who trusted a third party (Crowdstrike) to have access the kernel. So blame the SYSADMIN, not Microsoft.

Microsoft doesn't certify that update because it is not their update.

So please, next time, before posting get informed.

Not a hill I'm ready to die on because I don't like those arguments myself. But I can understand what they are saying - the OS can gatekeep developers from doing crazy things with the kernel if they wanted.

For example, on iOS, you're not allowed to inject kernel drivers into the OS however hard you try. It limits the possibilities of the software and thus the usefulness, but also the possible impact of something like this happening.

For MacOS, kernel extensions (kexts) used to be a similar thing to Windows kernel drivers. But MacOS has phased them out in favor of system extensions, which are more sandboxed. This makes MacOS more useful than iOS but less risky than Windows.

In other words, on iOS and MacOS, the developer cannot cause the OS to crash or bootloop even if they wanted. But on Windows they can. And it is entirely in Microsoft's hands should they come out with a new OS that would not allow kernel drivers to be installed at all.

The problem with blaming Microsoft is that it assumed taking the MacOS approach has zero cost. In MacOS's push for system extensions (and similarly for OpenGL decom, 32bit decom, ARM transition), Apple's attitude has always been my way or the highway, because presumably software developers should rewrite their software from the ground up if they care about high value Apple users. Microsoft's attitude has been more of "if it worked 30 years ago it should keep working now". Taking Apple's approach would have business costs for Microsoft.

 

[throAU]

it’s actually insane how much the world relies on Microsoft. some people will take a cheap kick at them (“buy a Mac” “apple for the win”) but Apple stands no chance of ever coming close to Microsoft’s dominance. Entire countries would grind to a halt without them. This is just a taster of what could happen

I know for a fact my work would never switch to Mac. They are using the bare minimum specs to run Windows 10. So yeah we aren’t about to buy Macs for everyone lmao. Also, it would be such a headache. People freak out at the slightest change so switching to a completely different OS sounds like a nightmare. I’m dreading the day when we move to Windows 11 (I actually like W11 and use it as my main OS).

My PC at work was fine today thankfully! Glad it’s the weekend so hopefully no issues on Monday.

“Switching” to anything is the problem. Don’t run every person on the same platform.

Split them across android, iOS, macOS, Linux and windows and build cross platform apps.

This could have happened to Apple with as well if they had a poor release QA process or that process was somehow shortcut one time.

This is a windows application problem but it could have happened on any platform.

 

[MasterMaCanada59]

Meanwhile...

 

[AlexJaye]

I'm surprised no one has blamed Tim Cook for this.

This has been bad for the bean counters of the world.

Ol’Timmy would NEVER do this.

 

[return2sendai]

MacRumors, your headline makes no sense. The second clause does not negate the first.

HEADLINE GRAMMAR CHECKED: MISSING DEFINITE ARTICLE AND BE VERB

 

[JosephAW]

So this is how it all ends...

This is why we don’t have to worry about AI taking over the world, it would last about five minutes and then crash with a blue screen of death.

 

[jicon]

Who would know, that Crowdstrike, a "leading cyber security" company, is responsible for the biggest "cyber incident" of 2024.

You cannot make this **** up.

Give them some credit… no malware today on machines with boot issues.

More annoyed with Azure VMs being a real pain to boot in to safe mode to delete the affected file.

 

[DaveFromCampbelltown]

Ok, I haven't read all 17 pages of this, so it may have been mentioned before, but...

This was caused by a global, simultaneous rollout of an update that wasn't tested properly (but that's a different problem).
Both Apple and Ubuntu (and I don't know about other organisations) have staged rollouts. If anything bad happens, only part of the digital ecosystem is affected.

It will be up to others to determine --

1. What happened with the pre-rollout testing.
2. Why it wasn't pushed out in a staged manner (New Zealand first, then Australia, then Canada, Britain, Europe, Africa, Asia, and finally the US).

Yes, it was a dinky, little change, but dinky little faults can have major consequences. Even a 1 sq. inch bald spot on your tire can cause you to spin out and hit a tree.

 

[wilhoitm]

McAfee used to do this to Windows all the time! CrowdStrike is just a modern McAfee! It's a design flaw in Microsoft Winblows!