The cybersecurity firm says a misconfigured rapid response content update on its Falcon platform caused PCs to crash around the world.
Cybersecurity company CrowdStrike has released an update on what caused a global wave of Windows PCs to crash into the famous blue screen of death.
As we know, the issue was an update pushed to the company’s Falcon endpoint detection and response platform; specifically, a single misconfigured quick response content update sent to the Falcon sensor on those platforms.
The patch affected sensor version 7.11 and higher and was released on July 19 at 04:09 UTC. All machines running that version of the sensor and were online until 05:27 UTC (when the update was rolled back) were affected.
Unlike a version of Sensor Content, which the customer has control over in terms of deployment to their fleet of machines, Rapid Response Content is automatically deployed to effectively track and identify new threats.
“Threat detection engineers use this capability to collect telemetry, identify indicators of adversary behavior, and perform detections and preventions,” CrowdStrike said in a July 24 update to its Guidance and Remediation Center for the incident.
“Rapid response content is behavioral heuristics, separate and distinct from the AI detection and prevention capabilities in the CrowdStrike sensor.”
Quick response content is published as “template instances,” which are mapped to “specific behaviors for the sensor to observe, detect, or prevent.” Template instances have a set of fields that can be configured to match the desired behavior.”
In this case, it was an InterProcessCommunication (or IPC) template type, which was first tested and validated on March 5 and deployed the same day via channel file 291.
“Three additional IPC template instances were subsequently deployed between April 8, 2024 and April 24, 2024,” CrowdStrike said.
“These template instances performed as expected in production.”
But on July 19, “two additional IPC template instances were deployed. Due to a bug in the Content Validator, one of the two template instances passed validation despite containing problematic content data.”
“Based on testing performed prior to the initial deployment of the template type (on March 5, 2024), confidence in checks performed on the content validator, and previous successful deployments of the IPC template instance, these instances were deployed in production,” CrowdStrike said. .
When received and loaded by the Falcon Sensor, the “problematic content in channel file 291 resulted in an out-of-bounds memory read that triggered an exception.”
“This unexpected exception could not be handled correctly, resulting in a Windows operating system crash (BSOD),” CrowdStrike said.
In response to the incident, which affected more than 8 million Windows 10 PCs, CrowdStrike has said it will improve its rapid response content testing and add more validation checks to specifically protect against the deployment of such content.
Additionally, the company will improve the error handling that already exists in its deployments and, perhaps most importantly, will stagger the deployment of rapid response content and give customers control of the process “by allowing granular selection of when and where they are deployed.” these updates.” ”.
“In addition to this preliminary post-incident review, CrowdStrike is committed to publicly releasing the full root cause analysis once the investigation is complete,” CrowdStrike said.