Login

**harm_less** · 21-07-2024, 02:21 PM

From Twitter:
" It is pretty funny that crowdstrike’s entire purpose is to prevent cyber attacks, and it accidentally launched one of the biggest cyber attacks in history."

zqwerty · (This post was last modified: 21-07-2024, 07:30 PM by zqwerty.)

Technical Details: Falcon Content Update for Windows Hosts

https://www.crowdstrike.com/blog/falcon-...l-details/

Something not right about this explanation. Incomplete and evasive.

On the other hand here is an explanation on what may be wrong from a user on Reddit:

[–]WhatYouThinkIThink 2 points an hour ago

This wasn't a code update (in spite of the ".sys" extension), it was an update of a "channel file".

The channel file was related to Windows named pipes, which is why this update didn't affect Linux/Mac etc systems.

The channel file was corrupted/not tested against the drivers in the field.

The drivers had a latent bug in that they accepted channel file content without validation, which resulted in the corrupted file causing a memory access exception related to a null pointer.

Because the driver is a kernel level driver and Windows only protects against failed graphics drivers, this resulted in the Windows BSOD loop.

So the problems are:

The drivers don't validate the channel files properly before accepting them, assuming that the trusted tunnel to Crowdstrike means that the content can be trusted.

The parsing of the drivers is buggy and doesn't check the content as it parses.

The release process in Crowdstrike is a clusterfuck.

Crowdstrike pushed this release to all of their client endpoints, in spite of their customers choosing to be on earlier releases (N is current, N-1 is previous, N-2 is prior to N-1 etc)

Companies that allow an outsourced vendor to install kernel drivers and an unprotected tunnel back to that vendor to install anything the vendor chooses are basically allowing a rootkit/malware vector to be installed without control.

The fact that this occurs because bogus security "compliance audits" require this sort of crap in the first place is the underlying root cause.

This needs to be pushed back to the OS vendor (Microsoft) for not implementing standard "immutable" kernel releases and automatic rollbacks to "known good" configurations after update failures of any source, including its own.

**nzoomed** · 22-07-2024, 09:12 AM

Here's what a software engineer has to say on the matter.
https://www.businessinsider.com/crowd-st...2024-7?amp

***king1*** · 22-07-2024, 10:00 AM

I think he makes a good point - when third party technology can take out a country's infrastructure, governments will need to take more of an interest in them to some extent.

How many other companies are out there that have the potential to cause mass disruption? Obviously Microsoft, but I imagine you could also include all security/antivirus vendors... intel/AMD maybe

Praktica · 22-07-2024, 12:06 PM

A video I came across

**nzoomed** · 22-07-2024, 12:28 PM

(22-07-2024, 10:00 AM)king1 Wrote: I think he makes a good point - when third party technology can take out a country's infrastructure, governments will need to take more of an interest in them to some extent.

How many other companies are out there that have the potential to cause mass disruption? Obviously Microsoft, but I imagine you could also include all security/antivirus vendors... intel/AMD maybe

It also seems that in many cases the licensing agreement / Ts&Cs puts the responsibility on the end user too which is convenient.
These companies largely get away with alot in these cases.
There definitely needs to be more oversight, especially when billions of dollars of damage is a result.

Here is a good rundown.
https://www.businessinsider.com/crowdstr...und-2024-7

zqwerty · (This post was last modified: 22-07-2024, 03:28 PM by zqwerty.)

Yes Post #25 is where it's at, very good, thanks Praktica.

Looks to me as if CrowdStrike pushed out an update to a critical sector of the MS software Kernel and did not test it adequately if at all before deploying it.

A case of beginner like neglect, nothing professional about it. This is not what they are being paid to do and falls well below the standards required for a world-wide Computer Protection Product producing company.

**nzoomed** · 23-07-2024, 01:15 PM

(22-07-2024, 12:06 PM)Praktica Wrote: A video I came across

Yeah I follow this guy alot, he explains the whole situation quite well.
Its quite interesting to watch his other videos that talk about his time while working at Microsoft.

Login
Username:
Password:	Lost Password?
	Remember me