The July 19th CrowdStrike Windows Glitch Explained
So Simple Even Grandma and Grandpa Will Get It
As a 20-year veteran in the tech industry, I’ve seen my fair share of technical mishaps.
When I heard that CrowdStrike was linked to the recent Windows outage, my experience developing a Windows driver for BlackBerry 15 years ago immediately came to mind. Back then, I dealt with countless blue screens and crashes, so I have a good sense of what might have gone wrong.
The issue from last Friday is intricate and might need to be clarified, even for those well-versed in software development but unfamiliar with Windows drivers or Kernel space.
This article aims to simplify the situation, breaking it down in an accessible way even to those without a technical background — or even your grandparents.
Assume a Windows Machine is Your House
User Space
To understand better, let’s assume a Windows computer is your house. Imagine the rooms in your home—your kitchen, living room, and bedroom. These are where you do everyday activities, cook meals, watch TV, and relax. These are the visible, accessible areas where you directly interact with your home’s features.
We will call this part of your home User Space. This is also the space in your computer that you see and interact with. There is what you see on the screen and point at with your mouse. This is called User Space in Windows as well.
Kernel Space
There is also a hidden world in your house. The behind-the-walls system includes the foundation, plumbing, electrical, and heating. You don’t see these systems while going about your daily activities, but they are essential for ensuring everything works properly. They handle crucial functions like delivering water and electricity and maintaining home operations.
This is the internal infrastructure of your house. In a computer, this area is called the Kernel Space.
CrowdStrike is Your New Smart Thermostat
Consider adding a new feature to your house, like installing a smart thermostat. This latest addition wasn’t part of the original house, but it needs to connect to and work with the existing heating and cooling systems (Internal Infrastructure) to function correctly.
It monitors the temperature in your house and works with the existing infrastructure to operate effectively. Since you, the user, or the home’s original builder do not build this component (thermostat), it is called a Third-Party Application.
Similarly, Crowdstrike has built an application called Falcon to run on your Windows machine and monitor its security. To do that properly, it must connect to your computer's Kernel Space/Internal Infrastructure.
Since Falcon was not created by Microsoft or the user, it is called a Third-Party Application.
The Certification Process
When a company such as Google builds a home thermostat (Nest), it must certify that its product will work with your customer’s heating and cooling system before selling it.
So, let’s assume you buy a Nest thermostat, bring it home, and attach it to your heating and cooling system. The Nest has now started monitoring your house's temperature and telling the heating and cooling system when to change it.
Similarly, you can buy Falcon by Crowdstrike and install it on your computer. This will allow it to monitor your computer's security and tell your computer's internal infrastructure, which lives in kernel space, to do things to protect your computer.
Any application on a Windows machine that accesses the kernel space must be certified by Windows before it can run on the machine. If it doesn’t get certified, it can’t run. But sometimes, huge security risks are discovered quickly, and an update to Falcon is needed.
Sometimes, companies split their applications into two parts: one that works in Kernel space and one that works in user space only. The part in kernel space needs the certification, while the part in user space does not.
So if there is a new attack, they can send information quickly to user space and tell the kernel space part of the application to look there. It can then use that information in kernel space to protect against attacks. And because they didn’t have to update the kernel space, they didn’t need to certify it.
BUT, and there is a huge BUT here. They have to do that carefully. It is possible to update the information in user space so that it will accidentally confuse the application in kernel space, and things can go sideways. So, if you are doing this, it must be adequately tested.
Do you see where we might be going? …..
How Did It All Go Wrong?
Your new Nest Smart thermostat allows you to set the temperature from your phone and directly controls your home’s heating and cooling systems from the panel on the wall and your smartphone.
Now, suppose Google releases a software update for the Nest. This update improves the mobile app that you use to set the temperature but doesn’t include changes to the part of the thermostat that directly controls your heating and cooling systems. Remember, the infrastructure side needs to be certified, so they wouldn’t want to change that often and to get updates out faster, they might build in a way that only the mobile app needs changes, but it should still work with the infrastructure side.
Here’s where things go wrong: The updated app introduces new features or settings that are supposed to work with the thermostat. However, the thermostat’s core control system, which manages the heating and cooling, didn’t handle the changes as expected. The software developers forgot to test this change with the existing infrastructure and failed to realize that it would also need changes to work correctly.
So, when you use the new app to set a temperature, the updated data is passed to the thermostat’s control system. However, because the core system wasn’t updated, it couldn’t interpret or handle this new data correctly. This mismatch causes the thermostat to send incorrect signals to your heating and cooling systems. As a result, your heating might turn on when it’s already warm, or the cooling system might fail to turn on when it’s hot, causing your home to become uncomfortable.
Let’s say that in this case, the only way to fix the system is to disconnect it from the wall, connect the display to your computer, update the software, and then reconnect it to the wall.
Falcon is like a smart thermostat in the context of a Windows machine. It has a component or “Driver” that operates in Kernel Space (like the thermostat’s core control system) and another in User Space (like the mobile app you use). If CrowdStrike updates only the User Space component without updating the Kernel Space Driver, the system can experience problems.
When Falcon’s Kernel Space driver pulls data from the updated User Space component, the incompatibility can cause a critical failure, resulting in a Blue Screen of Death (BSOD). Fixing this involves manually rebooting the computer into Safe Mode (like manually fixing the thermostat), removing the problematic driver, and rebooting the computer normally.
This is precisely what happened on Friday, July 19th. An update to the CrowdStrikes Falcon application caused a critical failure in Kernel Space, resulting in a Blue Screen of Death on EVERY Windows machine it was installed on!
Imagine breaking the temperature controls on EVERY house that used a Nest!! Like Nest, Falcon didn’t break the temperature in all houses. Falcon only broke the Windows computers it was running on, which is why it wasn’t a Windows outage but a CrowdStrike Outage. Falcon was also running on Mac and Linux machines, but this part of the code worked differently and was unaffected.
In summary, just as an update to a smart thermostat’s app without updating its core control system can lead to issues with your home’s temperature control, an incomplete update to a driver in Kernel Space can cause severe problems on a Windows machine.
This example shows why it’s essential to keep all parts of a system, whether a thermostat or a computer, in sync to ensure smooth operation.
Want More Details?
I highly recommend this video if you want a deeper look at the issue.
I wish all the best to the IT teams working on resolving this issue, as well as to the developer who made a mistake at Crowdstrike. We're all human and we all make mistakes. Hopefully, not only Crowdstrike, but many others will learn some valuable lessons from this unfortunate event.
