{"id":45987,"date":"2024-07-24T21:54:50","date_gmt":"2024-07-25T01:54:50","guid":{"rendered":"https:\/\/www.technewsday.com\/?p=45987"},"modified":"2024-07-24T21:54:50","modified_gmt":"2024-07-25T01:54:50","slug":"crowdstrike-releases-an-update-from-initial-post-incident-review-hashtag-trending-special-edition-for-thursday-july-25-2024","status":"publish","type":"post","link":"https:\/\/technewsday.com\/staging\/crowdstrike-releases-an-update-from-initial-post-incident-review-hashtag-trending-special-edition-for-thursday-july-25-2024\/","title":{"rendered":"CrowdStrike releases an update from initial Post Incident Review: Hashtag Trending Special Edition for Thursday July 25, 2024"},"content":{"rendered":"<p>Security vendor CrowdStrike released an update on from their initial Post Incident Review today.<\/p>\n<p><iframe style=\"border: none;\" title=\"Embed Player\" src=\"https:\/\/play.libsyn.com\/embed\/episode\/id\/32285597\/height\/192\/theme\/modern\/size\/large\/thumbnail\/yes\/custom-color\/020300\/time-start\/00:00:00\/playlist-height\/200\/direction\/backward\/download\/yes\/font-color\/FFFFFF\" width=\"100%\" height=\"192\" scrolling=\"no\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<p>The first, and most surprising information was that CrowdStrike says that the incident was not caused by code or a kernel driver \u2013 the kernel driver was the assumed cause in most industry speculation.<\/p>\n<p>This might be semantics to some extent especially the offending file is stored in a folder called system32\\drivers\\CrowdStrike<\/p>\n<p>But clearly, whatever you call it, CrowdStrike acknowledges that this file contains data which \u201cresulted in an out-of-bounds memory read triggering and exception\u201d that Windows was not set up to handle \u201cgracefully\u201d and that resulted in the crash.<\/p>\n<p>I\u2019m not trying to attribute anything to CrowdStrike, I\u2019m sure they take accountability, but the idea that if Windows had just been able to handle this \u201cgracefully\u201d might seem to some like passing the buck.<\/p>\n<p>But if the driver\/non-driver issue is a somewhat confusing, we did get an answer to the question that many of us were asking, and that is \u201cwhy didn\u2019t their testing catch this?\u201d<\/p>\n<p>The report lists a very thorough testing procedure before release which is, on our reading, pretty much consistent with industry best practices. So the template did go through a testing regime.<\/p>\n<p>CrowdStrike notes that they issued two other templates at the same time and that both of these \u201cbehaved as expected.\u201d<\/p>\n<p>So what went wrong?<\/p>\n<p>Apparently, it was a bug in what CrowdStrike refers to as the \u201cContent Validator\u201d which allowed this template to pass through despite having problematic data.<\/p>\n<p>Reliance on that \u201cContent Validator\u201d was apparently the issue. Which still raises another question \u2013 whether you call this a template or a driver, shouldn\u2019t the severe implication of a null value (or whatever the problematic value was) have been anticipated?<\/p>\n<p>We got some additional answers as to why multiple reboots of a machine might be necessary to correct the error. Apparently, this \u201ctemplate\u201d can\u2019t simply be deleted remotely or simply over-written. It stays in the sensor\u2019s directory.<\/p>\n<p>Cleverly, their team, in a very short time opted to put the file on their \u201cknown-bad\u201d list and after multiple reboot attempts it could be blocked and normal activity resumed.<\/p>\n<p>A couple of assurances were offered to CrowdStrike customers. First, CrowdStrike is stating that there is no impact to the protection on working systems.<\/p>\n<p>Second, they have listed a number of things that they will do to \u201cprevent this in the future,\u201d among these:<\/p>\n<ul>\n<li>Adding additional checks to the Content Validator<\/li>\n<li>Staggering deployment to gradually release to their base, starting with what they refer to as a \u201ccanary\u201d deployment, likening back to the old idea of taking a canary into a coal mine because the canary would die more quickly than a human.<\/li>\n<\/ul>\n<p>I\u2019d normally say that there is a link to the complete text included in our show notes, but as reminder that this is a time when, as CrowdStrike CEO George Kurtz warned about \u201cadversaries and bad actors\u201d taking advantage of this situation \u2013 you should ensure that you take information only from the CrowdStrike site. \u00a0So just go to CrowdStrike.com \u2013 the link to their remediation hub should be obvious.<\/p>\n<p>And there are some good resources that you may want to refer to. The video that they issued on how and end user can fix the problem is well done, clear and provides a step by step that even a novice could follow \u2013 so if anyone still has people in the field affected or if you know small companies or individuals that somehow got hit, this is worth looking at.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security vendor CrowdStrike released an update on from their initial Post Incident Review today. The first, and most surprising information was that CrowdStrike says that the incident was not caused by code or a kernel driver \u2013 the kernel driver was the assumed cause in most industry speculation. This might be semantics to some extent [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":45988,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1083,360,16,28],"tags":[1346,198,275],"class_list":["post-45987","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hashtag-trending","category-podcasts","category-security","category-software","tag-hashtag-trending","tag-podcast","tag-top-story"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/45987","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=45987"}],"version-history":[{"count":1,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/45987\/revisions"}],"predecessor-version":[{"id":45989,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/45987\/revisions\/45989"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media\/45988"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=45987"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=45987"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=45987"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}