Interesting watch - https://www.youtube.com/watch?v=wAzEJxOo1ts
3 Likes
I'm seeing on LinkedIn that there was a null pointer used that in turn attempted to access an invalid memory address.
1 Like
No way just one person can be able to push a forced update to all pc's without review, tests, or even partial/region deploys. right? xd
Lol they learned to revert the problem... but this should never have even been able to happen in the first place. Anyone that uses this should uninstall it yeah
4 Likes
Zack Vorhies broke it down on twitter. It was a C++ pointer in software that is loaded on startup and runs at a very high permissions level. It was getting pointed to an invalid place in memory which causes windows to crash but then it opening the software on load so it caused a boot loop.
1 Like
I was in O'Reilly's this morning buying some windshield wipers for my truck. The guy was having trouble getting his table to sort the parts by price, and I said, "Hey, at least it isn't blue screened."
He proudly replied, "These are all Linux machines. They don't blue screen."
8 Likes
I think Crowdstrike's blog post on this is carefully worded. They claim it's not a kernel mode driver, yet in the video @bkarabinchak.psi posted, essentially it sounds like they have a kernel mode driver that is dynamically loading code from these definition files that runs in the kernel/ring 0. This is the quickest way for them to push updates to kernel mode "drivers" without getting them re-certified to be able to adapt to zero-day vulnerabilities.
I think in businesses maybe software like AV/Anti-Malware/Cybersecurity should be diversified just like firewalls should be to add additional layers of protection. Run portions of servers on different software so that in the event one has an issue or is compromised in any way, you're only half down. Terminals in banks/airports/etc would be backed up, but not completely down.
2 Likes
I think the real issue as @pturmel pointed out is that a single company has kernel access to millions of computers across industries. I assume Crowdstrike had a target on its back before but I think it just got 10x larger with seeing how damage they could do. How much do we trust their internal security, especially after their internal culture allowed them to make a mistake like the one they just did? Trust is easy to lose and hard to get back in their space. Their stock is tanking and estimates now are $900 billion worth of damages inflicted from the mistake and probably still counting - I know some airports are still having issues for instance. When we inevitably start seeing lawsuits who knows how long they may even be around for going forward tbch.
I know this was not all related to what you said but this whole story has got me swept in up in it lol.
2 Likes
doubt very many
On the bright side, the memes have been great. This one pretty much sums up my view on what happened:
So far, I'd have to say this one is my favorite: 
4 Likes
I know of a handful of plants that were taken down by this. It definitely impacted industrial automation.
As for our company... We weren't putting crowdstrike on anything and we will continue in that vein.
1 Like
If you don't put Crowdstrike on boxes, but some other third party AV solution, you have to have given that other solution similar privilege. Maybe Crowdstrike was the biggest, but AV tools must have high privilege to do their job. That, mixed with automatic updates, simply yields another security hole. 
You need an OS that is fundamentally secure out of the box, whose public access is provided by easily-constrained, well-audited applications. Updated on command, not automatically.
I'll consider trusting Windows when there is no longer a market for kernel-resident AV tools.
4 Likes
This is a very good video so far, excellent explanation, will probably follow this guy's channel.
2 Likes
Concur.
1 Like
I'm setting up an Ubuntu server to test right now. Hopefully, I can switch production to it soon 
5 Likes