CrowdStrike confirms that an undetected bug in Falcon sensor update caused Windows to crash

July 24 (Portaltic/EP) –

The flawed CrowdStrike update that affected Windows computers worldwide last Friday was due to an undetected bug, the security firm has shared in the preliminary results of its investigation.

A bug in the Falcon update disabled computers running the Microsoft operating system in companies across all sectors around the world on Friday, displaying the so-called ‘blue screen of death’.

Initially, CrowdStrike’s CEO confirmed that the cause was an error in an update to its platform and that it was not “a security incident or a cyberattack.”

Now, the firm has shared the preliminary results from their post-incident review, which states that the Windows system crash “involved a rapid response content update with an undetected error.”

Rapid Response Content Update is designed to quickly respond to the changing threat landscape and is delivered as a content configuration update – part of the Falcon cloud platform – that creates template instances. These equip the sensor with new capabilities to detect and analyze behavior in real time.

These instances are implemented through so-called channel files, which are written to the host’s disk. The content interpreter – a component of the sensor – then reads the file and interprets it so that the sensor can act on malicious activity, depending on the policy settings of the client, which in this case is Microsoft.

CrowdStrike claims that “newly released template types are stress tested across many aspects, including resource utilization, impact on system performance, and event volume.”

According to its timeline, two additional template instances were deployed on July 19 to the template instance launched on March 5 after passing stress tests. However, on Friday “due to a bug in the content validator, one of the two template instances passed validation despite containing problematic content data,” as the security firm explains.

“When received by the sensor and loaded into the content interpreter, problematic content in channel file 291 caused an out-of-bounds memory read that triggered an exception. This unexpected exception could not be handled correctly, resulting in a crash of the Windows operating system,” they conclude in the preliminary results.