The bad data triggered a memory problem that “could not be gracefully handled,” causing a Windows operating system crash, according to CrowdStrike’s report. The update had been evaluated on March 5 for possible problems, but a bug in the company’s testing software meant that the bad data wasn’t detected.
Last week’s incident, which Windows vendor Microsoft said affected about 8.5 million devices, showed the risks inherent in the business world’s reliance on ubiquitous brand names in the technology industry. The crash had widespread effects throughout the world as thousands of flights were canceled or delayed, health appointments rescheduled and online ticket sales halted at some venues, among other disruptions. Although most businesses saw their operations return to normal over the weekend, some ripple effects continued to be felt this week, with one major airline, Delta, still canceling flights Tuesday.
CrowdStrike said Wednesday it will beef up its software testing to make sure a similar error doesn’t happen again. It also promised to carry out updates in a staggered fashion in the future, so that only a small number of machines are updated to start. And it said it will give its users more control over the delivery of updates.
The company pledged to publish a more in-depth report on what went wrong once its full investigation is complete.
“All of CrowdStrike understands the gravity and impact of the situation,” CrowdStrike CEO George Kurtz said in a statement Wednesday.
Kurtz warned that adversaries and bad actors posing as CrowdStrike personnel might try to exploit the outage. “I encourage everyone to remain vigilant and ensure that you’re engaging with official CrowdStrike representatives,” Kurtz said.
CrowdStrike is among the most widely used cybersecurity platforms. Its software is deployed on millions of computers to fend off ransomware attacks and other intrusions. After its founding in 2011, it became well known for its involvement in post-mortem investigations into several high-profile cyberattacks, including a 2014 Sony Pictures hack. It attracted investment from Google and went public in 2019.