Skip to content

← Writing

engineering

CrowdStrike: The Day Windows BSOD'd the World

· Jerwin Arnado

Archive note: this is a backdated post, written years later while rebuilding this site. It’s dated to the moment it covers, but the hindsight is real.

On July 19, at around 2pm Manila time, screens started turning blue. Airline check-ins. Hospital systems. Broadcasters mid-air. Banks, point-of-sale terminals, airport departure boards — an estimated 8.5 million Windows machines crash-looping at once. Flights grounded worldwide; NAIA among the airports falling back to handwritten boarding passes. Not a cyberattack — though everyone’s first hour assumed so — but something more embarrassing: a routine content update from CrowdStrike, a security vendor most affected civilians had never heard of, whose Falcon sensor runs with kernel privileges on a staggering share of the world’s enterprise Windows fleet.

The mechanics: Falcon’s kernel-mode driver consumed a malformed “channel file” (rapid-deploy threat-detection config), hit an out-of-bounds memory read, and panicked — and because it loads at boot, the machines crash-looped before remediation could reach them. The fix required, in most cases, a human at each machine: safe mode, delete the file, reboot. Eight and a half million times. BitLocker-encrypted fleets got to do it with recovery keys — stored, in the finest examples, on servers that were also blue-screening.

The checklist of sins

This blog collects outage post-mortems precisely because they’re the cheapest education available, and this one is a complete syllabus:

  1. No staged rollout. The channel file went to the entire planet simultaneously. Canary deployments — 1%, watch, 10%, watch — are deployment hygiene so basic that consumer apps shame you into it. A kernel-privileged agent on civilization’s infrastructure shipped config like a hotfix to a hobby project. Every percentage of stagger would have converted “global catastrophe” into “Tuesday incident report.”
  2. Config is code. The update wasn’t “software” by CrowdStrike’s release taxonomy — content files reportedly traveled a faster, lighter pipeline than driver updates. The kernel does not care about your taxonomy. Anything that changes runtime behavior is a deployment and earns the full testing-and-stagger treatment. Every team has its own version of this exemption; July 19 is what the exemption costs at scale.
  3. Parse hostile, even from yourself. A kernel driver that trusts its own config files enough to read out of bounds has decided its own pipeline is infallible. Defensive parsing at trust boundaries applies to your inputs too — the file from HQ is still an input.
  4. Recovery paths must not depend on the thing being recovered. Crash-before-network meant no remote fix; BitLocker keys behind dead servers meant the Facebook lesson, re-taught: never lock the fire extinguisher inside the burning building.

The structural lesson

Beneath the checklist sits the uncomfortable architecture of modern IT: security tooling is the most privileged, most homogeneous, fastest-updating software in the world — kernel access, deployed identically across millions of machines, updating multiple times daily by design, exempted from change windows because it’s security. That’s a monoculture with a firehose attached. July 19 was the accident version; the xz incident was the near-miss deliberate version of the same shape. The industry keeps building single points of planetary failure and acting surprised by planetary failures.

For the homelab and the client stack alike, the takeaways are old friends: stagger everything, distrust every input, keep an out-of-band door, and know — before the bad day — exactly which vendor’s bad Friday becomes yours. The blue screens cleared in days. The architecture that produced them is still everywhere, quietly updating itself as you read this.