CrowdStrike says bug in quality-control process led to botched update

LONDON:
A software issue in CrowdStrike’s quality-control system caused the software update that crippled computers around the world last week, the US firm acknowledged on Wednesday, as damages pile from the outage, which interrupted services ranging from aviation to banking.


The extent of the harm from the faulty upgrade is still being determined. On Saturday, Microsoft announced that around 8.5 million Windows devices had been affected, and the US House of Representatives Homeland Security Committee has written to CrowdStrike CEO George Kurtz, requesting testimony.

On Wednesday, the financial impact began to come into perspective. According to insurer Parametrix, US Fortune 500 firms, excluding Microsoft, will suffer losses of $5.4 billion as a result of the outage, and Malaysia’s digital minister has asked CrowdStrike and Microsoft to consider compensating affected companies.

The outage occurred because CrowdStrike’s Falcon, an advanced platform that protects systems from malicious software and hackers, featured a flaw that caused machines running Microsoft’s Windows operating system to crash and display the “Blue Screen of Death”.

“Due to a bug in the Content Validator, one of the two Template Instances passed validation despite containing problematic content data,” CrowdStrike said in a statement, referring to the failure of an internal quality control mechanism that allowed the problematic data to pass through the company’s own safety checks.

According to a person familiar with the matter, Microsoft has no plans to limit CrowdStrike’s access to the Windows operating system as a result of the outage.

CrowdStrike did not explain what the content data was or why it was harmful. A “Template Instance” is a set of instructions that tell the software what risks to search for and how to respond. CrowdStrike said it applied a “new check” to its quality control method to prevent the problem from happening again.


CrowdStrike supplied information to patch impacted systems last week, but experts said getting them back online would take weeks because the erroneous code had to be manually weeded out.

Wednesday’s announcement was consistent with a generally held belief among cybersecurity experts that something in CrowdStrike’s quality control procedure had gone drastically wrong.

The incident has also sparked concerns among experts that many organizations are not adequately prepared to implement contingency plans when a single point of failure, such as an IT system or a piece of software within it, fails.