Microsoft: Faulty CrowdStrike update affected 8.5M devices

More than 8 million Windows devices were affected by last week's massive IT outage after CrowdStrike released a faulty channel file update.

In a blog post published on Saturday, David Weston, vice president of enterprise and OS security at Microsoft, revealed the scope of the incident and detailed the response efforts following last week's global IT outage that resulted from a defective CrowdStrike Falcon update. The outage affects many CrowdStrike customers but most notably halted airline services and disrupted healthcare organizations and government agencies, with fallout continuing this week.

"We currently estimate that CrowdStrike's update affected 8.5 million Windows devices, or less than one percent of all Windows machines. While the percentage was small, the broad economic and societal impacts reflect the use of CrowdStrike by enterprises that run many critical services," Weston wrote in the blog post.

Over the weekend, Microsoft provided additional remediation updates and workaround recommendations for affected users that span across a variety of sectors. On Saturday, Microsoft released two new recovery options via a free USB tool that customers can download. The first option recovers from Windows Preinstallation Environment or WinPE, which is a small OS within Windows that is used to deploy, repair and troubleshoot the full OS. The second option recovers the affected system in safe mode.

"Although the USB option is preferred, some devices may not support USB connections. In such cases, we provide detailed steps below for using the Preboot Execution Environment (PXE) option. If the device cannot connect to a PXE network and USB is not an option, reimaging the device might be a solution," Microsoft said in the advisory.

In addition to engaging with CrowdStrike on response efforts, Microsoft also said its working with Google Cloud Platform and Amazon Web Services to communicate with customers as they work to recover their Windows systems after experiencing continuous blue screens of death (BSOD) error messages.

Weston stressed that it was not a Microsoft incident. He added that while software updates can cause disruptions, he described incidents like the one that occurred on July 18 as "infrequent." Since last week, Weston said Microsoft has been working with CrowdStrike to release an automated fix and deployed hundreds of Microsoft engineers to assist affected customers.

"This incident demonstrates the interconnected nature of our broad ecosystem -- global cloud providers, software platforms, security vendors and other software vendors, and customers. It's also a reminder of how important it is for all of us across the tech ecosystem to prioritize operating with safe deployment and disaster recovery using the mechanisms that exist," the blog post read.

CrowdStrike has also provided updates over the weekend. In a post to Linkedin, CrowdStrike also said an estimated 8.5 million Windows devices were affected by the defective update and that a "significant" number have been restored. CrowdStrike added that it worked with customers to test a new remediation technique intended to accelerate the recovery process.

"We're in the process of operationalizing an opt-in to this technique. We're making progress by the minute," CrowdStrike wrote in the post.

CrowdStrike's new guidance included a recovery process for organizations that don't have access to their BitLocker keys. Some organizations have found themselves locked out of their systems and unable to remove the defective CrowdStrike update because they cannot access their BitLocker keys.

CrowdStrike also apologized again for the significant disruption to affected organizations.

Larry Carvalho, independent analyst with Robust Cloud, told TechTarget Editorial that the resulting IT outages could have significant effects on the IT industry, possibly causing more users to consider alternatives to Windows. "Overall, it was a good day for unaffected Mac and Linux machines," he said. "With endpoints needing basic functionality in most cases, you can expect Linux to get some more traction because of this failure."

Senior News Director Rob Wright contributed to this story.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.