CrowdStrike: Microsoft names figures, research into causes continues
While crooks register fake domains, the security scene continues to investigate the cause of the outage. According to Microsoft, millions of PCs are affected.
Security gaps in Windows put users at risk.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
The major disruption caused by a faulty CrowdStrike update is also causing a spoiled weekend at Microsoft. The Redmond-based IT company says it is currently deploying hundreds of technicians to help customers revive their Windows systems. Microsoft is also working with CrowdStrike to repair Windows PCs that no longer start.
According to Microsoft, the number is in the millions. In a blog article published on Saturday, the company gives an initial estimate of 8.5 million affected systems. This figure is likely to be based on telemetry data that Microsoft collects for quality control after system crashes. According to Redmond, this is only around one percent of all Windows computers, but these are disproportionately often located in companies. This seems plausible, as CrowdStrike Falcon is not typical private user software.
Why did the pointer zero?
Meanwhile, experts are puzzling over where exactly the fatal error is hidden. It seems certain that it is a "null pointer" error – but where and why exactly it crept into the faulty update is still the subject of various analyses. The hottest lead is currently held by IT security expert Patrick Wardle, who used a disassembler to get to the bottom of the bug. Like Google luminary Tavis Ormandy –, he contradicted the apparently erroneous analysis of another expert, which we at heise security also quoted initially.
Apparently, the "channel file" with the number 491 that was played out with the update was faulty, as the code of the actual kernel driver CSAgent.sys had not changed with the update, Wardle continued. CrowdStrike confirmed this analysis and instructed affected customers to delete the file.
20 billion stock market value destroyed
Meanwhile, CrowdStrike's share price also felt the effects of the major disruption: on Friday, it fell by 11.1 percent, and in the after-hours trading, the share price fell again by just under one percent. This means that the company has lost around 20 billion US dollars in market capitalization since the disruption began. However, shareholders should not be hit too hard: In the past 12 months, CrowdStrike has more than doubled its market capitalization.
Although phishing is a minor issue for many organizations whose IT is in ruins, cyber criminals have been jumping on the bandwagon since yesterday. The BSI warned of waves of phishing and cyber attacks as early as midday on Saturday. Mail server admins shared lists of domains related to CrowdStrike, for example:
- crowdstrike.phpartners[.]org
- crowdstrikedown[.]com
- crowdstrikefix[.]zip
- An extensive list is available to members of heise security PRO in the forum.
Domains such as "clownstrike", "failstrike" or "crowdstuck" are more of a humorous nature and probably serve as name suggestions for the major disruption. A fad in the IT security scene is to assign the most euphonious names possible to serious errors, cyber attacks or outages, such as Shellshock, Heartbleed or Rowhammer.
The increasing number of reports about companies that have been spared thanks to outdated software also falls into the "gallows humor" category: even those who had instructed their CrowdStrike Falcon installation to refrain from updating to the latest software version received the update marked as a "content update" anyway, according to Patrick Wardle.
(cku)
