Show threadJdeBPJul 21, 2024

@pancake @thephd

Reading #CrowdStrike's own technical details publication, which is light on technical details, there is an implication that the "channel file" in question is not even code at all, but a data file, the rough equivalent of an AV signature file. (CrowdStrike does not really explain to the world what its "channel files" are.) The implication is that whatever processed the updated data file is not good at handling corrupted data.

https://mastodonapp.uk/@JdeBP/112820518952555749

#MO821132

JdeBP (@[email protected])

@[email protected] Be careful about the assumption that there even was a NULL pointer dereference. There has not yet, to my knowledge, been a proper analysis published of what the failure caused by the bad "channel file" actually was. #CrowdStrike's own report is not specific on this matter and just vaguely says "a logic error that resulted in an operating system crash". There are *lots* of possibilities that will cause a BSOD. And the pictures in the news won't help you. https://mastodonapp.uk/@JdeBP/112813708543808092

Mastodon App UK
JdeBPJul 20, 2024

@RandomDamage

As @cynicalsecurity has pointed out elsethread, this sort of provision disclaiming warranty as much as possible is very common in software licence agreements.

#law #CrowdStrike #MO821132

Show threadJdeBPJul 20, 2024

@cavyherd @GramrgednAngel @Violinknitter

(… Continued)

But (conversely) if you got the update Thursday evening before you powered off to go home and your work PC has not been booted up since, you may have the other kind of luck. (-:

#CrowdStrike #MO821132

Show threadJdeBPJul 20, 2024

@cavyherd @GramrgednAngel @Violinknitter

It really all depends from timing.

For example: I've read reports from people who lucked out and missed the update because contrary to the instructions of their IT people they turned off their office PCs on Thursday evening, and by the time they turned them on the next morning, the update had been withdrawn. So their PCs never had the bad "channel file".

(Continued …)
#CrowdStrike #MO821132

Show threadJdeBPJul 20, 2024

@ampersine @shanselman

Yes. I caught up on that after I had caught up on the FediVerse posts.

I have a suspicion that the NULs thing is one of those Chinese Whispers distortions of someone talking about NULL pointers, in turn because they've just guessed that that was the STOP that occurred. (alas, see https://mastodonapp.uk/@JdeBP/112813708543808092, though)

I've certainly not seen an authoritative analysis of the specific crash that happens, yet, and certainly #CrowdStrike has not supplied one.

#MO821132

JdeBP (@[email protected])

One interesting aspect of the #CrowdStrike saga is the #BadJournalism, where instead of actually getting a photographer out to one of the millions of PCs showing a BSOD today, some of which might even have been in the news organization's own offices, journalists have pulled up a stock BSOD image showing some random other error. I've seen critical thread/process terminations, unhandled exceptions, buffer overflows, and stack overruns so far. #NeverWindows11 #MO821132 #journalism @[email protected] @wood5y

Mastodon App UK
Show threadJdeBPJul 20, 2024

It turns out that there is an even lower barrier that kept this from being Linux panic day than it at first seemed.

It now transpires that the "channel file" involved is not used on the Linux version of #CrowdStrike's Falcon system, because it applies to NT's named pipes.

So if it had simply been a bad "channel file" common to more platforms instead, Black Friday could have been a hat trick combo of Microsoft Windows being taken down, Linux systems panicking, and Microsoft's #MO821132.

Show threadJdeBPJul 20, 2024

@chrisg

It's not even technically correct.

https://mastodonapp.uk/@JdeBP/112813114562289051

#CrowdStrike #MO821132

JdeBP (@[email protected])

All of the Linux people being smug don't know that #CrowdStrike's Falcon Sensor has a Linux version, that integrates into the kernel, and has "channel files" too. They have escaped through accident, not by dint of any inherent superiority. In another universe where Linux systems were instead deployed in the many businesses/public services/governments with CloudStrike as the common anti-malware choice, today would have been Linux panic day. https://crowdstrike.com/press-releases/crowdstrike-falcon-expands-linux-protection-with-enhanced-prevention-capabilities/ #NeverWindows11 #MO821132

Mastodon App UK
Show threadJdeBPJul 20, 2024

@shanselman

I saw an unsubstantiated claim this morning that the "channel file" to delete was full of NULs. If true, then the failure cannot even be down to a bad line of code, as it would also involve whatever tool generated the bad data file going very wrong.

However:

I am inclined to disbelieve this claim, as (for starters) this would result in a file without a valid PE header and a "channel file" is notionally an NT driver file as far as I can tell.

#CrowdStrike #MO821132

JdeBPJul 20, 2024

@L2actual

Well Randall had nothing else to do that day. (-:

#CrowdStrike #MO821132 #xkcd

Show threadJdeBPJul 20, 2024

@cynicalsecurity

Read them and find out.

https://crowdstrike.com/terms-conditions/

You are looking for §8.2 and §8.6.

#CrowdStrike #MO821132

CrowdStrike Terms And Conditions | CrowdStrike

These CrowdStrike Terms and Conditions are a master agreement that cover all CrowdStrike products and services but provisions regarding specific products or services apply only to the extent you have purchased, accessed or used such products or services.

crowdstrike.com