CrowdStrike Says Global IT Outage Impacting Windows PCs, But Mac and Linux Hosts Not Affected

[cyb3rdud3]

People are pointing out this should not take down the entire OS. There should be a protected mode to fall back to to self correct. And don't you find this a bit of an issue? I assume you probably have dozens of applications installed, maybe even an antivirus yourself. All it takes is one bad pointer and its game over?

I mean Windows can recover from some GPU driver crashes without BSOD, why can't it recover from something like this?

To put it as simple as possible, software like this should have the lowest possible level of access to the system, and thus be granted the highest level of access. If it doesn't do that, then it wouldn't be able to recognise and disable a rogue GPU driver for example.

 

[jakey rolling]

People are pointing out this should not take down the entire OS. There should be a protected mode to fall back to to self correct. And don't you find this a bit of an issue? I assume you probably have dozens of applications installed, maybe even an antivirus yourself. All it takes is one bad pointer and its game over?

I mean Windows can recover from some GPU driver crashes without BSOD, why can't it recover from something like this?

Of course it is in issue. Clearly it is an issue. The problem is, the mitigation of such an issue is not quite as simple as many of you seem to think it is. If you had been reading the comments here and understood how fully secure machines are generally configured, you'd already have your answer.

In normal circumstances, Windows absolutely can recover from a failure like this. The problem is that allowing it to do so introduces a security risk that software like Crowdstrike is meant to mitigate. The recovery mode is normally disabled on critical systems that use Crowdstrike or other system-level endpoint protection software because that recovery mode also provides a means to bypass that software upon boot-up. The risk of a bad actor trying to bypass the software altogether is much higher than the risk of a bug in the software causing a widespread outage (though, as we've seen, the risk of the latter is far from zero, unfortunately).

 

[Ethosik]

Of course it is in issue. Clearly it is an issue. The problem is, the mitigation of such an issue is not quite as simple as many of you seem to think it is. If you had been reading the comments here and understood how fully secure machines are generally configured, you'd already have your answer.

In normal circumstances, Windows absolutely can recover from a failure like this. The problem is that allowing it to do so introduces a security risk that software like Crowdstrike is meant to mitigate. The recovery mode is normally disabled on critical systems that use Crowdstrike or other system-level endpoint protection software because that recovery mode also provides a means to bypass that software upon boot-up. The risk of a bad actor trying to bypass the software altogether is much higher than the risk of a bug in the software causing a widespread outage (though, as we've seen, the risk of the latter is far from zero, unfortunately).

That is purely the issue. Requiring software like Crowdstrike to protect against the very thing it caused is the root of the issue. That should be up to the operating system to protect its most important aspect. Things should be locked down where software like this doesn't need to run at the lowest of low levels. That is the problem. Windows should get with the times and come up with a better security measure than relying on a third party to protect the kernel.

And we are not saying it is easy, but how big of a company is Microsoft? How big is Windows? How many engineers do they have?

 

[Isamilis]

And neither Microsoft nor Crowdstrike asked for apology in writing/ officially.

 

[haddy]

The risk of a bad actor trying to bypass the software altogether is much higher than the risk of a bug in the software causing a widespread outage

Umm I really don't know anything about MS operating systems but I pretty sure the "bad actor" trying to get into my machine would have to be sitting in front of it. That is, to bypass whatever antivirus software I had.....which I don't have.

 

[duervo]

Oh the irony of such an impact being caused by a CyberSecurity company.

 

[Delivered]

Yeah, let me run this past my CFO quickly, he’d be thrilled to replace ~100k Windows computers in our corporate environment

100k useless pc vs 100k working macs which one costs more?

 

[ipaqrat]

Ok, I haven't read all 17 pages of this, so it may have been mentioned before, but...

This was caused by a global, simultaneous rollout of an update that wasn't tested properly (but that's a different problem).
Both Apple and Ubuntu (and I don't know about other organisations) have staged rollouts. If anything bad happens, only part of the digital ecosystem is affected.

It will be up to others to determine --

1. What happened with the pre-rollout testing.
2. Why it wasn't pushed out in a staged manner (New Zealand first, then Australia, then Canada, Britain, Europe, Africa, Asia, and finally the US).

Yes, it was a dinky, little change, but dinky little faults can have major consequences. Even a 1 sq. inch bald spot on your tire can cause you to spin out and hit a tree.

One of Crowdstrike's (and ALL the OTHERS, TOO) selling points is immediate response, across the widest possible swath of the internet, to the rapidly changing threatscape. It sounds like Crowdstrike's developers got a tad complacent, failed due diligence.

Crowdstrike is a complex beast, and among its features is an option to TEST code and implementation policy rollouts on your own lab rats, before rolling out to Production. Crowdstrike even offers free lab CIDs (Customer ID - their term for tenant-owned units).

I segregate lab rats in a CID, where we test all updates, no matter the vendor's reputation, or how urgent the update may seem. It takes very little time to get through a basic test plan. Then, if one of 'em sudden'y grows a human ear out of its back, we have a minute to reconsider that rollout, no harm done.

For this week's raging DOS event, there's plenty of blame to share around. There are stages of responsibility that should not be denied out of defensiveness, guilt or possibly relief, in the OCIO's office.

Windows is a choice, albeit a sensible one.

Crowdstrike is a choice, albeit a sensible one.

IT Admin process is a choice, albeit tending to break down under budgetary pressure.

Customers who don't do due diligence get da doo-doo dropped.

People are pointing out this should not take down the entire OS. There should be a protected mode to fall back to to self correct. And don't you find this a bit of an issue? I assume you probably have dozens of applications installed, maybe even an antivirus yourself. All it takes is one bad pointer and its game over?

I mean Windows can recover from some GPU driver crashes without BSOD, why can't it recover from something like this?

For Windows servers, there are recovery modes, typically manually invoked. @Ethosik is generally describing "System Integrity Protection", which would not interdict legit admin overrides during installations. Generally, one doesn't want auto-rollback, which might merely add a one more problem to a troubleshooting cycle. In fact, auto-rollback introduces another potential attack surface.

Recovery and rollback scenarios are better served by Netboot or PXE boot, or by secondary bootable ISO images from which to implement scripted repairs from the known-good OS. This can be fiendishly complex to build and maintain. Unfortunately, such COOP (continuity of operations) or DR (disaster recovery) plans are defunded due to budget pressure.

Contempt for Microsoft is real in IT service management, even as it provides job security. Essentially, in terms of finance and sustainability, we all know the only thing worse, overall, than Windows, overall, is everything else, overall. In fact, Microsoft themselves have caused far more Windows DOS events than any other vendor.

In the blink of an eye, it might have been unix/linux. THAT would be the epic perfect **** storm, as the world's genuine, serious, heavy lifting is not done on Windows.

 

[wbeasley]

One of Crowdstrike's (and ALL the OTHERS, TOO) selling points is immediate response, across the widest possible swath of the internet, to the rapidly changing threatscape. It sounds like Crowdstrike's developers got a tad complacent, failed due diligence.

Crowdstrike is a complex beast, and among its features is an option to TEST code and implementation policy rollouts on your own lab rats, before rolling out to Production. Crowdstrike even offers free lab CIDs (Customer ID - their term for tenant-owned units).

I segregate lab rats in a CID, where we test all updates, no matter the vendor's reputation, or how urgent the update may seem. It takes very little time to get through a basic test plan. Then, if one of 'em sudden'y grows a human ear out of its back, we have a minute to reconsider that rollout, no harm done.

For this week's raging DOS event, there's plenty of blame to share around. There are stages of responsibility that should not be denied out of defensiveness, guilt or possibly relief, in the OCIO's office.

Windows is a choice, albeit a sensible one.

Crowdstrike is a choice, albeit a sensible one.

IT Admin process is a choice, albeit tending to break down under budgetary pressure.

Customers who don't do due diligence get da doo-doo dropped.



For Windows servers, there are recovery modes, typically manually invoked. @Ethosik id generally describing "System Integrity Protection", which would not interdict legit admin overrides during installations. Generally, one doesn't want auto-rollback, which might merely add a one more problem to a troubleshooting cycle. In fact, auto-rollback introduces another potential attack surface.

Recovery and rollback scenarios are better served by Netboot or PXE boot, to implement scripted repairs from a known-good OS. This can be fiendishly complex to build and maintain. Unfortunately, such COOP (continuity of operations) or DR (disaster recovery) plans are defunded due to budget pressure.

Contempt for Microsoft is real in IT service management, even as it provides job security. Essentially, in terms of finance and sustainability, we all know the only thing worse, overall, than Windows, overall, is everything else, overall. In fact, Microsoft themselves have caused far more Windows DOS events than any other vendor.

In the blink of an eye, it might have been unix/linux. THAT would be the epic perfect **** storm, as the world's genuine, serious, heavy lifting is not done on Windows.

But most "customers" didnt even know what CloudStrike was before this event... the end users at supermarkets who couldnt buy food, the travellers stranded at airports. End customers of a service provided by a second or third party further up the IT channel.

Are we all meant to ask what IT systems our service providers use and decide whether we accept the risks?

Most people dont even see that the emails you get from supermarkets telling you what Specials you might be interested in this week are only there because they keep track of everything you buy when you scan your rewards/loyalty card before paying.

When it works seamlessly, everyone's happy. or ignorant at least.

 

[grad]

Stop giving and making excuses. It was a bad fail for CrowdStrike, Microsoft, and the whole IT sector for overrelying on them.

 

[jakey rolling]

100k useless pc vs 100k working macs which one costs more?

100k working computers that are only capable of running Photoshop, Final Cut Pro, and a web browser aren't exactly all that useful to an airport or hospital, outside of maybe letting a few staff update the corporate TikTok account.

 

[cyb3rdud3]

That is purely the issue. Requiring software like Crowdstrike to protect against the very thing it caused is the root of the issue. That should be up to the operating system to protect its most important aspect. Things should be locked down where software like this doesn't need to run at the lowest of low levels. That is the problem. Windows should get with the times and come up with a better security measure than relying on a third party to protect the kernel.

And we are not saying it is easy, but how big of a company is Microsoft? How big is Windows? How many engineers do they have?

Yes, and no. Microsoft has similar solutions, albeit arguable not as good as the best labs in the world. With enterprise IT, and Cybersecurity, this is not a singleton standalone product. It is part of a suite of measures and controls which bring management and monitoring challenges with them as well. It is a good thing that this is not single vendor dependent and can be swapped and integrated with the type of vendor you require, and to the controls that are required for the organisation.

Umm I really don't know anything about MS operating systems but I pretty sure the "bad actor" trying to get into my machine would have to be sitting in front of it. That is, to bypass whatever antivirus software I had.....which I don't have.

Well, yes, hence this is mostly regarding endpoint devices. You know they move about, get left behind on trains, plains, automobiles, get stolen, or even used in house share environments. Not every organisation requires the top secure build, but with big penalties and even possible jail sentences for negligence regarding lost personally identifiable date as good as any organisation is a bit silly if they don't configure their endpoints securely.

 

[olavsu1]

100k working computers that are only capable of running Photoshop, Final Cut Pro, and a web browser aren't exactly all that useful to an airport or hospital, outside of maybe letting a few staff update the corporate TikTok account.

What the heck is done there if they don't fit? I see that computers with such capabilities are only used as terminals there. All are AIO's what you will see there.
All frontends, what you will see there, are based specialiced web browsers today.

 

[ct2k7]

What the heck is done there if they don't fit? I see that computers with such capabilities are only used as terminals there. All are AIO's what you will see there.
All frontends, what you will see there, are based specialiced web browsers today.

Airport terminals still run custom crap, and lots of Amadeus stuff is not browser friendly.

 

[olavsu1]

Yes, it looks like custom crap...

 

[ct2k7]

Yes, it looks like custom crap...

Yet it’s functional and does the job.

 

[cyb3rdud3]

What the heck is done there if they don't fit? I see that computers with such capabilities are only used as terminals there. All are AIO's what you will see there.
All frontends, what you will see there, are based specialiced web browsers today.

No they are not, nowhere close. Lots of old purpose built applications that do perfectly what they do. And even if that wasn't the case. Whilst for content creators, developers etc a Mac makes a lot of sense, in the enterprise to create a secure managed build that is deployable to hundreds of thousands, and managed centrally with lots of bespoke solutions for authentication, point of sale and you name it. No a Mac wouldn't be a smart thing to deploy from a corporate perspective, way too costly, and not easy to maintain and manage centrally like PC's can be.

 

[olavsu1]

I see that you have no experience with systems other than Microsoft products.

do you know a term "mainframe" ? all large scale systems are based it.

 

[cyb3rdud3]

I see that you have no experience with systems other than Microsoft products.

do you know a term "mainframe" ? all large scale systems are based it.

You seem to have no appreciation for a diverse enterprise environment. And one moment we talk about endpoint devices and the next you bring in mainframes. That doesn’t make any sense.

But yes, plenty of mainframe experience and minis and a variety of network topologies as well. 🤷‍♂️

 

[olavsu1]

And one moment we talk about endpoint devices and the next you bring in mainframes.

After all, they together are one system. Your endpoints are only terminals in that system.
You do not configure each terminal separately there. They are some of the cheapest things out there.
and they can be cloned very quickly.

 

[cyb3rdud3]

After all, they together are one system. Your endpoints are only terminals in that system.
You do not configure each terminal separately there. They are some of the cheapest things out there.
and they can be cloned very quickly.

When they are just that agreed. But again, that is totally irrelevant to this context and thread. And nowadays a PC as an endpoint device is rarely only used to launch a terminal application, there are often other functions as well and other systems the operators have to switch between.

 

[olavsu1]

And nowadays a PC as an endpoint device is rarely only used to launch a terminal application, there are often other functions as well and other systems the operators have to switch between.

No. The desktop computer of a large company (airport, hospital, family doctor's office, etc.) is not used for more than just running this one client application.

//a thief can take away that desktop computer, but he gets nothing but a useless terminal

 

[cyb3rdud3]

No. The desktop computer of a large company (airport, hospital, family doctor's office, etc.) is not used for more than just running this one client application.

//a thief can take away that desktop computer, but he gets nothing but a useless terminal

Ok, then... Amazing stuff 🤷‍♂️🤣

 

[olavsu1]

We are developing a nationwide health information system. it runs on a duplicated Linux server cluster. however, a very diverse range of machines are used as terminals.
The client application must run in the same way in a web browser as on apple and windows computers.
Patients enter the system through any web browser that supports id-card logins.
Doctors have client applications.

 

[Isamilis]

We are developing a nationwide health information system. it runs on a duplicated Linux server cluster. however, a very diverse range of machines are used as terminals.
The client application must run in the same way in a web browser as on apple and windows computers.
Patients enter the system through any web browser that supports id-card logins.
Doctors have client applications.

I imagine, if Apple release “terminal-Pad” - an iPad derivative with large screen and multi-user capabilities, running iPadOS. That would be great for terminal, simple and (hopefully) low cost solution.