Technical Details: Falcon Content Update for Windows Hosts
https://www.crowdstrike.com/blog/falcon-...l-details/
Something not right about this explanation. Incomplete and evasive.
On the other hand here is an explanation on what may be wrong from a user on Reddit:
[–]WhatYouThinkIThink 2 points an hour ago
This wasn't a code update (in spite of the ".sys" extension), it was an update of a "channel file".
The channel file was related to Windows named pipes, which is why this update didn't affect Linux/Mac etc systems.
The channel file was corrupted/not tested against the drivers in the field.
The drivers had a latent bug in that they accepted channel file content without validation, which resulted in the corrupted file causing a memory access exception related to a null pointer.
Because the driver is a kernel level driver and Windows only protects against failed graphics drivers, this resulted in the Windows BSOD loop.
So the problems are:
The drivers don't validate the channel files properly before accepting them, assuming that the trusted tunnel to Crowdstrike means that the content can be trusted.
The parsing of the drivers is buggy and doesn't check the content as it parses.
The release process in Crowdstrike is a clusterfuck.
Crowdstrike pushed this release to all of their client endpoints, in spite of their customers choosing to be on earlier releases (N is current, N-1 is previous, N-2 is prior to N-1 etc)
Companies that allow an outsourced vendor to install kernel drivers and an unprotected tunnel back to that vendor to install anything the vendor chooses are basically allowing a rootkit/malware vector to be installed without control.
The fact that this occurs because bogus security "compliance audits" require this sort of crap in the first place is the underlying root cause.
This needs to be pushed back to the OS vendor (Microsoft) for not implementing standard "immutable" kernel releases and automatic rollbacks to "known good" configurations after update failures of any source, including its own.
It's not the least charm of a theory that it is refutable. The hundred-times-refuted theory of "free will" owes its persistence to this charm alone; some one is always appearing who feels himself strong enough to refute it - Friedrich Nietzsche