CrowdStrike is blaming its test software for a faulty security update that led to a devastating global outage last week.
In a blog post published Wednesday, CrowdStrike said its testing program used to validate security updates missed "problematic content" in what was supposed to be a minor adjustment to a previous software. That "content" triggered a memory problem that led Windows operating systems around the world to display the "Blue Screen of Death."
"When received by the sensor and loaded into the Content Interpreter, problematic content in Channel File 291 resulted in an out-of-bounds memory read triggering an exception. This unexpected exception could not be gracefully handled, resulting in a Windows operating system crash," the firm said in the report.
Industry experts called for accountability, adding that it is "alarming" that CrowdStrike pushed an update that was not properly tested and validated before it was rolled out globally.
"It is very alarming when patches and updates that are intended for systems that have a true operational impact are not tested and validated before going into production," Steve Kelly, former senior director for cybersecurity at the White House National Security Council, told The Washington Post.
What Is CrowdStrike Doing To Prevent Another Outage?
As part of its effort to compensate for damages, CrowdStrike sent out $10 Uber Eats vouchers to its partners. However, those who attempted to claim the vouchers received an error message saying the gift card was canceled, as first reported by TechCrunch.
To prevent another outage, CrowdStrike said it would now take future measures, including staggering the rollout of updates, providing more details about upcoming updates, and giving customers more control over when the updates would occur.
CrowdStrike also noted that the report is still preliminary, adding that it will publicly release the full analysis once the investigation is complete.
The global tech outage cost Fortune 500 companies about $5.4 billion in financial losses, with airlines losing $0.86 billion. However, Crowdstrike is unlikely to pay for the damages. The terms of its Falcon security software limit liabilities to "fees paid."
This means that if a company had a claim against CrowdStrike for damages or lost revenue, the tech firm is only required to give back what the complainant paid to them, per Business Insider, citing Elizabeth Burgin Waller, the chair of the Cybersecurity & Data Privacy practice at Woods Rogers.
Join the Conversation