CrowdStrike Bug Causes Global Microsoft Outages Affecting 911, Airlines And More

IT infrastructure and security systems built in the cloud are great until one of them shuts down your company. Cybersecurity firm CrowdStrike's marketing material says an average cybercriminal can exfiltrate data within 62 minutes of breaking in. However, it only took the company's cybersecurity suite about three minutes to shut down many of its customers itself completely by accident, including major airlines, 911 emergency response lines, and more. Blue screens abound on Windows PCs, and although the issue has been resolved there's still massive cleanup to be done. 

The good news, we suppose, is that at least Microsoft isn't the one causing issues this time. At 4:09 UTC (12:09 AM Eastern time today), the company says an updated file published to its Falcon Content Update for Windows Hosts could cause Blue Screensof Death (BSOD) errors or bug-check screens. Any machine that got the update and then subsequently rebooted would be rendered inoperable.

At 5:27 UTC -- less than 90 minutes later -- the company pushed another update to again update the file. The problem is that for some large parts of global infrastructure, the damage had already been done. Windows 10 and 11 PCs that received the bad update and rebooted were now stuck. Mac and Linux users are unaffected, since the pushed update was a bad driver. 


The broken driver affects the Falcon Sensor security software, which loads very early in the boot process, causing the BSOD. CrowdStrike advises customers to reboot into Recovery Mode or Safe Mode on their PCs and remove any file matching "C-00000291*.sys" from the Windows\System32\drivers\CrowdStrike directory. Once the PC has been rebooted normally after that, everything should be mostly fine. The fixed driver file will be downloaded and installed, bringing clients up to date. 

Unfortunately, the cleanup might be the hardest part. A lot of corporate PCs, especially those running Windows 11, have BitLocker full-drive encryption enabled. That means booting in Safe Mode or with a Recovery drive might require a key. If the PC has an account associated with a Microsoft account, the BitLocker key is probably there for recovery. As long as the account is accessible from non-corporate devices and the user has local admin access, that's great. But locking accounts down to approved machines is something Microsoft's Azure Entra ID, formerly known as Azure Active Directory, can enforce. So it might not be quite that simple.