2024 年 7 月 21 日，CrowdStrike 发布了#微软蓝屏 分析报告，全球性电脑宕机是由一个逻辑错误引起的。

事后查明，导致全球众多系统瘫痪的全球性电脑宕机归咎于网络安全公司CrowdStrike 在一次例行更新中出现的逻辑错误。

这家公司发布了 Falcon 安全软件的配置更新，结果导致无数受影响的 Windows 系统出现了臭名昭著的蓝屏死机（BSOD）。

CrowdStrike 的 Falcon 平台以其实时威胁检测功能而闻名。

有问题的更新旨在增强检测恶意活动的能力，却不料导致了系统崩溃。

据 CrowdStrike的分析报告显示：“配置更新导致了一个逻辑错误，从而导致受影响的系统出现系统崩溃和蓝屏死机。”

CrowdStrike 通常每天都会发布几次更新，以适应新的网络威胁。这个特定的更新旨在检测恶意软件使用的新的恶意命名管道。

命名管道是 Windows 中用于进程间通信的通信通道。

然而，这次更新无意中含有一个逻辑错误，结果导致操作系统崩溃。

该更新的逻辑错误影响了运行面向 Windows 7.11 及以上版本的 Falcon 传感器的系统，这些系统在 2024 年 7 月 19 日 04 点 09 分至 05 点 27 分期间在线。配置文件称为“通道文件”（Channel Files），是 Falcon 的行为保护机制的必要组成部分。

这些文件位于C:\Windows\ System32\drivers\CrowdStrike\目录中，名称以“C-”开头。有问题的文件即 Channel File 291 原本旨在检测恶意命名管道，却不料导致了系统崩溃。

CrowdStrike 发现后迅速采取行动以解决问题，更新了 Channel File 291 的内容以修复逻辑错误。

尽管如此，这次中断还是产生了重大影响，干扰了航空公司、医院和企业等众多行业领域的正常运营。

云头条

，赞66

谷歌前员工 Zach Vorhies 在社交媒体上透露了这起故障背后的技术细节。

他解释道：“这是一个来自内存不安全的 C++ 语言的 NULL 指针。”Vorhies 详细阐述了在 C++ 中，地址 0x0 用来表示没有值。当程序试图访问这个地址时，它导致了系统崩溃。他举了一个简单的例子：“C++ 程序员在传递对象时本应该通过‘检查 null’来检查这个问题。”

许多用户和组织对有缺陷的更新居然通过了质量控制机制深表失望。

Vorhies 指出，现代工具可以通过自动检查这类错误来防止此类问题。

他表示，CrowdStrike 可能会考虑从 C++ 转向一种更安全的编程语言，比如 Rust，因为 Rust 没有这些空指针问题。

在这场全球性混乱后恢复正常可能需要一段时间，因为全球性 IT 中断已经影响了全球各地的商家和服务。

度假者面临出行中断，诈骗者利用这场危机大做文章，针对小企业实施网络钓鱼欺诈。

数百万台电脑需要逐台修复，从而延长了恢复时间。

专家们将这次中断与新冠疫情相提并论，强调了需要提高应变能力和应急规划。

虽然软件更新偶尔会引起干扰，但像 CrowdStrike 事件这样的重大事件并不常见。

微软官方发布博文称，CrowdStrike 的更新影响了 850 万台 Windows 设备，约占 Windows 设备总数的 1%。虽然百分比很小，但对经济和社会造成的广泛影响反映了无数运营许多关键服务的企业使用 CrowdStrike 的事实。

CrowStrike《技术细节：面向 Windows 主机的Falcon 更新》：

Technical Details: Falcon Content Update for Windows Hosts

What Happened?

On July 19, 2024 at 04:09 UTC, as part of ongoing operations, CrowdStrike released a sensor configuration update to Windows systems. Sensor configuration updates are an ongoing part of the protection mechanisms of the Falcon platform. This configuration update triggered a logic error resulting in a system crash and blue screen (BSOD) on impacted systems.

The sensor configuration update that caused the system crash was remediated on Friday, July 19, 2024 05:27 UTC.

This issue is not the result of or related to a cyberattack.

Impact

Customers running Falcon sensor for Windows version 7.11 and above, that were online between Friday, July 19, 2024 04:09 UTC and Friday, July 19, 2024 05:27 UTC, may be impacted.

Systems running Falcon sensor for Windows 7.11 and above that downloaded the updated configuration from 04:09 UTC to 05:27 UTC – were susceptible to a system crash.

Configuration File Primer

The configuration files mentioned above are referred to as “Channel Files” and are part of the behavioral protection mechanisms used by the Falcon sensor. Updates to Channel Files are a normal part of the sensor’s operation and occur several times a day in response to novel tactics, techniques, and procedures discovered by CrowdStrike. This is not a new process; the architecture has been in place since Falcon’s inception.

Technical Details

On Windows systems, Channel Files reside in the following directory:

C:\Windows\System32\drivers\CrowdStrike\

and have a file name that starts with “C-”. Each channel file is assigned a number as a unique identifier. The impacted Channel File in this event is 291 and will have a filename that starts with “C-00000291-” and ends with a .sys extension. Although Channel Files end with the SYS extension, they are not kernel drivers.

Channel File 291 controls how Falcon evaluates named pipe1 execution on Windows systems. Named pipes are used for normal, interprocess or intersystem communication in Windows.

The update that occurred at 04:09 UTC was designed to target newly observed, malicious named pipes being used by common C2 frameworks in cyberattacks. The configuration update triggered a logic error that resulted in an operating system crash.

Channel File 291

CrowdStrike has corrected the logic error by updating the content in Channel File 291. No additional changes to Channel File 291 beyond the updated logic will be deployed. Falcon is still evaluating and protecting against the abuse of named pipes.

This is not related to null bytes contained within Channel File 291 or any other Channel File.

Remediation

The most up-to-date remediation recommendations and information can be found on our blog or in the Support Portal.

We understand that some customers may have specific support needs and we ask them to contact us directly.

Systems that are not currently impacted will continue to operate as expected, continue to provide protection, and have no risk of experiencing this event in the future.

Systems running Linux or macOS do not use Channel File 291 and were not impacted.

Root Cause Analysis

We understand how this issue occurred and we are doing a thorough root cause analysis to determine how this logic flaw occurred. This effort will be ongoing. We are committed to identifying any foundational or workflow improvements that we can make to strengthen our process. We will update our findings in the root cause analysis as the investigation progresses.

CrowdStrike CEO 任 McAffe CTO 时：也导致了全球 IT 大崩溃。