this post was submitted on 20 Jul 2024
21 points (100.0% liked)

Programmer Humor

32721 readers
369 users here now

Post funny things about programming here! (Or just rant about your favourite programming language.)

Rules:

founded 5 years ago
MODERATORS
 
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 3 points 5 months ago (1 children)

Was this the root cause??? Hahahaha

[–] [email protected] 2 points 5 months ago (1 children)
[–] [email protected] 2 points 5 months ago* (last edited 5 months ago) (1 children)

Lit, I've been waiting for this.

Edit: That's mostly a high-level overview. Do you have some actual reverse-engineering you can point me to?

[–] [email protected] 2 points 5 months ago

It's a proprietary enterprise security product so I think it'll be difficult to get information until they give a proper post-mortem (if they do so). Here's hoping someone can put it all together though.

From what we have from CrowdStrike so far, the Channel File 291 update was to combat some use of Named Pipes in Windows malware.

This seems to have triggered a null pointer exception in the Falcon kernel driver as it loaded this Channel File. CrowdStrike say this is not related to the large null sections of one of the files but haven't really explained what did trigger it.

Regardless, the kernel driver ought to have been statically analysed to detect this kind of memory hazard, or written in a language that prevents this class of bugs altogether. This is a priority of the US government right now, but CrowdStrike doesn't seem to have got the memo.