Security News > 2024 > August > CrowdStrike engages external experts, details causes of massive outage
CrowdStrike has published a technical root cause analysis of what went wrong when a content update pushed to its Falcon sensors borked over 8.5 million Windows machines around the world on July 19, and has confirmed that it has hired two unnamed third-party software security vendors to review the security and quality assurance of the Falcon sensor code.
Expanding on its preliminary post-incident review, the company went into more detail about how the faulty Rapid Response Content - delivered as content configuration updates - failed to be spotted before doing damage.
"Rapid Response Content is delivered through Channel Files and interpreted by the sensor's Content Interpreter, using a regular-expression based engine. Each Rapid Response Content channel file is associated with a specific Template Type built into a sensor release. The Template Type provides the Content Interpreter with activity data and graph context to be matched against the Rapid Response Content."
The others were: the fact that CrowdStrike did not have specific testing that would catch the mismatch, an out-of-bounds read issue in the Content Interpreter, and the fact that the company pushed the updates to every sensor out there.
On the topic of security sensors needing to leverage kernel drivers, CrowdStrike says that as new versions of Windows add support for performing more security functions in user space, CrowdStrike updates its agent to use it and will continue to do so.
Delta Air Lines is looking into suing both CrowdStrike and Microsoft, in hopes of recouping some of the massive losses the experienced because of the outage and getting regulators and the US Department of Transportation off its back.
News URL
https://www.helpnetsecurity.com/2024/08/07/crowdstrike-outage-causes/