SoylentNews

Freeman [soylentnews.org] writes:

https://arstechnica.com/information-technology/2024/07/crowdstrike-fixes-start-at-reboot-up-to-15-times-and-get-more-complex-from-there/ [arstechnica.com]

We're updating our story about the outage [arstechnica.com] with new details as we have them. Microsoft and CrowdStrike both say [crowdstrike.com] that "the affected update has been pulled,"
[...]
If rebooting multiple times isn't fixing your problem, Microsoft recommends restoring your systems using a backup from before 4:09 UTC on July 18 (just after midnight on Friday, Eastern time), when CrowdStrike began pushing out the buggy update. Crowdstrike says a reverted version of the file was deployed at 5:27 UTC.

If these simpler fixes don't work, you may need to boot your machines into Safe Mode so you can manually delete the file that's causing the BSOD errors. For virtual machines, Microsoft recommends attaching the virtual disk to a known-working repair VM [microsoft.com] so the file can be deleted, then reattaching the virtual disk to its original VM.
[...]
Before you can delete the file on those systems, you'll need the recovery key that unlocks those encrypted disks and makes them readable (normally, this process is invisible, because the system can just read the key stored in a physical or virtual TPM module).

This can cause problems for admins who aren't using key management to store their recovery keys, since (by design!) you can't access a drive without its recovery key. If you don't have that key, Cryptography and infrastructure engineer Tony Arcieri on Mastodon compared this [mas.to] to a "self-inflicted ransomware attack," where an attacker encrypts the disks on your systems and withholds the key until they get paid.

And even if you do have a recovery key, your key management server might also be affected by the CrowdStrike bug [mas.to].

Original Submission