Challenge Accepted

RandomLegend , 4 hours ago

You called our instance? :D

JPAKx4 , 2 hours ago

I had no idea that’s what dbzer0 stood for!

kionite231 , 2 hours ago

Ohhh dbzer0 = divide by zero

TIL

ArchAengelus , 1 hour ago

There are dozens of us. Dozens!

RandomLegend , 1 hour ago

Well actually we have 12,572 registered users :D

CanadaPlus , 1 hour ago

A kilodozen.

Yondoza , 3 hours ago

Was this the root cause??? Hahahaha

yogthos OP , 2 hours ago

here’s a good overview of what happened thestack.technology/crowstrike-null-pointer-blame…

CanadaPlus , 1 hour ago (edited 1 hour ago)

Lit, I’ve been waiting for this.

Edit: That’s mostly a high-level overview. Do you have some actual reverse-engineering you can point me to?

yogthos OP , 57 minutes ago

sorry, I haven’t looked if there’s a more detailed analysis yet

CanadaPlus , 49 minutes ago

Unfortunately most of the stuff I see linked is Twitter, and I’m not in the walled garden.

yogthos OP , 16 minutes ago

I’m sure somebody will do a proper write up in a few days.

Morphit , 2 minutes ago

It’s a proprietary enterprise security product so I think it’ll be difficult to get information until they give a proper post-mortem (if they do so). Here’s hoping someone can put it all together though.

From what we have from CrowdStrike so far, the Channel File 291 update was to combat some use of Named Pipes in Windows malware.

This seems to have triggered a null pointer exception in the Falcon kernel driver as it loaded this Channel File. CrowdStrike say this is not related to the large null sections of one of the files but haven’t really explained what did trigger it.

Regardless, the kernel driver ought to have been statically analysed to detect this kind of memory hazard, or written in a language that prevents this class of bugs altogether. This is a priority of the US government right now, but CrowdStrike doesn’t seem to have got the memo.

beeng , 2 hours ago

Inserting Rust comment here :)