CrowdStrike blames crash on buggy security-content update
A buggy “security content configuration update” to CrowdStrike’s Falcon sensor, which is aimed at gathering telemetry on novel threat techniques for Windows, has been confirmed as the root cause of the problem that crashed computers around the world on July 19, and is still having an impact on global IT teams, the vendor says.
CrowdStrike — which has been thrust into the spotlight in the last week for all the wrong reasons — released a “preliminary Post Incident Review (PIR)” today identifying a defect in a Rapid Response Content configuration update as the reason for the global incident, which caused massive disruptions to business continuity and headaches for travelers, hospital patients, and business professionals alike.
These kinds of updates are one of the ways that CrowdStrike — which provides some 29,000 customers with cloud-based software for endpoint detection and response (EDR) — delivers new security content to its software, and are “a regular part of the dynamic protection mechanisms of the Falcon platform,” according to the PIR report. Rapid Response Content specifically updates CrowdStrike’s software with the latest threat intelligence, designed “to respond to the changing threat landscape at operational speed,” according to the report.
“When received by the sensor and loaded into the Content Interpreter, problematic content in Channel File 291 resulted in an out-of-bounds memory read triggering an exception,” according to CrowdStrike. “This unexpected exception could not be gracefully handled, resulting in a Windows operating system crash (BSOD).”
CrowdStrike also used the release of the report to take to social media to apologize yet again for the outage, which many organizations are still in the process of mitigating.
“We can’t repeat enough, we’re aware of the impact and deeply sorry this occurred,” the company posted on social media platform X. “We want to thank our customers and industry partners for their support and assistance following the release of a faulty content update. We know what happened and how to make sure it doesn’t happen again.”
The Update Heard Round the World
Indeed, the report details step-by-step the leadup to Friday’s incident and its immediate aftermath, as well as how the company is responding to the issue to prevent a repeat performance.
To read the complete article, visit Dark Reading.