news

한어Русский языкEnglishFrançaisIndonesianSanskrit日本語DeutschPortuguêsΕλληνικάespañolItalianoSuomalainenLatina

I believe everyone must have seen the "Microsoft blue screen" incident in the past two days.

Unfortunately, Shichao was in the midst of passionate team-building at the time and was unable to provide everyone with a hot meal.

But it doesn’t matter. As foreign media colleagues continue to dig deeper, more and more explosive information about this incident is emerging, so Shichao thinks this is the perfect time to discuss this matter with everyone.

The cause of the incident was that a cybersecurity company called CrowdStrike detected a new cyber attack technique and pushed a routine update to its software.

As a result... this update directly paralyzed all devices that used their products.

Airports, banking, finance, transportation, retail, medical care... no industry is spared.

At Berlin Brandenburg Airport in Germany, passengers were unable to enter the security checkpoint due to equipment failure.

Ticket machines at London stations had blue screens, preventing people from buying tickets.

The iconic billboards in New York's Times Square are also welcoming the "blue screen era".

Musk, who is always outspoken, of course also ranted on X and posted a picture of the AI ​​"burning the CrowdStrike computer room" because the trouble caused by CrowdStrike this time affected Tesla's production line.

"It's you who are responsible for this, Lao Ma!"

In short, this blue screen incident has affected almost all industries. Even American experts said, "I am stunned to see this chain reaction."

The reason why CrowdStrike caused such a big mess is mainly because their products are really selling well.

According to data from market research firm IDC, CrowdStrike is second only to Microsoft in the endpoint protection software industry, with an 18% share of the $12.6 billion market and 29,000 customers worldwide, so this time the affected devices are millions.

CrowdStrike, also known as the American version of 360 Enterprise Edition (dog head).

What's even more funny is that the mistake they made this time was a bit abstract.

According to the details disclosed by CrowdStrike itself and the analysis of security experts, the source of the problem lies in a very small file named "C-00000291*.sys", which is a configuration file of the CrowdStrike Falcon platform, also known as the "Channel File".

This specific 291 channel file is responsible for controlling Falcon to evaluate the execution actions of the "Named Pipe" on Windows.

Hmm... This may be a little difficult to understand, so let's put it simply.

For example, Falcon is a security system that monitors various activities of programs in the Windows system, and information is transmitted between programs through something called a "named pipe".

So how do we judge and handle the activities in these "named pipes"? This is when we need to use the 291 file, which acts like a rule book. The Falcon security system can use this book to judge: which activities are normal and can be released; which activities are suspicious and need to be checked; and which activities are harmful and need to be stopped.

As follows: The communication between process A and B is completed through the pipe ▼

But CrowdStrike inserted a completely unreasonable rule into the 291 file in the update. It's like you invited someone to your home, but opened the neighbor's door and said come in. Neighbor: ???

Therefore, when executing the incorrect rule 291, Falcon touched a part of the Windows system that it should not have touched, causing illegal memory access and eventually causing the entire system to crash with a blue screen.

To solve this blue screen problem, we cannot use our ancestral skill "restart", but we have to manually delete the problematic configuration file "C-00000291*.sys" to prevent the system from loading and parsing the file again at startup.

But the key is that many users even have problems entering the system interface, which makes it very difficult to maintain...

In addition to inexplicably inserting incorrect files into the update, CrowdStrike also exposed many other problems this time.

For example, a security expert pointed out that every rule update should adhere to strategies such as grayscale distribution, monitoring and rollback. However, this time the update of CrowdStrike was pushed completely automatically, and users had no time to react at all. There was no rollback mechanism after the incident, and the problem could only be solved manually by users themselves.

Another question is: How can antivirus software have such low-level permissions?

In response to this, Microsoft previously jumped up to complain about the EU, saying: "It was the EU that made me open the underlying permissions to security software."

This wave ~ I can only say that Microsoft is really a pure joker. Since the matter has nothing to do with them, and they were always fined by the EU before, this time they severely satirized the EU.

Therefore, now if security software companies accidentally do something tricky at the bottom of the system, it is easy to crash the entire system, and then Windows will have to suffer a blue screen.

Another interesting thing is that someone has done a similar big thing before, and coincidentally, the initiator of these two incidents is the same person, the former CEO of antivirus software McAfee and current CEO of CrowdStrike - George Kurtz.

George made two moves, and millions of computers around the world shook. This epic operation is unlikely to be repeated in the future.

At this point, I have almost finished talking to you about the causes and consequences of this blue screen incident.

Shichao feels that this incident has a relatively small impact on us and we can just ignore it as it is none of our business. After all, CrowdStrike has banned sales to mainland China before, and we cannot "enjoy" their services.

But from another perspective, the lessons learned from this incident are still worth reviewing and studying by the domestic industry.

Because what the CrowdStrike incident exposed is that system security is also an important part of digital infrastructure, which will affect the normal operation of all walks of life. If we want to become a digital power, we still have to do a good job in system security.

Written by: Kway Teow

edit：Milo & Noodles

Art editor: Xuanxuan

Image, source：

Technical analysis of the large-scale system crash caused by CrowdStrike - Security Insider

What caused the huge global IT outage?——FINANCIAL TIMES

Analysis report on the global IT infrastructure disruption caused by CrowdStrike - Qi An Xin

CrowdStrike

Some pictures are from the Internet