CrowdStrike blames testing bugs for security update that took down 8.5M Windows PCs
- Thread starter JournalBot
- Start date
Maybe having, oh I don't know, maybe a file hash to make sure the file isn't corrupt would be helpful to their Content Validator?
Upvote
6
(7
/
-1)
Nah, it was a comically trivial failure: just a bad file, broken validation code and a lack of testing. Swiss cheese model? There's more holes than cheese.
Upvote
56
(56
/
0)
When I was in IT, I put more care than this in rolling out updates to a small (<100 device) organization.
Upvote
38
(38
/
0)
Are there already organisations that will pivot to an A/B setup with two different providers for endpoint security?
Considering that this software runs at kernel level, considering that the operational impact can be huge and considering that this isn’t the first time such a thing happens?
A/B might also cover the case where the security software doesn’t protect (yet) but competing software does.
Considering that this software runs at kernel level, considering that the operational impact can be huge and considering that this isn’t the first time such a thing happens?
A/B might also cover the case where the security software doesn’t protect (yet) but competing software does.
Upvote
7
(7
/
0)
Upvote
18
(18
/
0)
At some point, there was an MBA (or 12) in the decision making matrix. I promise you they determined it would save a few bucks to ONLY use automated unit tests and cut out the actual test deployments to actual systems.
That lab and the staff to run and maintain it would have cost them a few hundred thousand dollars a year!!! Can't absorb those kinds of operating costs in a multi billion dollar company.... what would the almighty shareholders say???
That lab and the staff to run and maintain it would have cost them a few hundred thousand dollars a year!!! Can't absorb those kinds of operating costs in a multi billion dollar company.... what would the almighty shareholders say???
Upvote
56
(58
/
-2)
Fun little anecdote about Crowdstrikes CEO George Kurtz.
In October 2009, McAfee promoted him to chief technology officer and executive vice president.[13] Six months later, McAfee accidentally disrupted its customers' operations around the world when it pushed out a software update that deleted critical Windows XP system files and caused affected systems to bluescreen and enter a boot loop. "I'm not sure any virus writer has ever developed a piece of malware that shut down as many machines as quickly as McAfee did today," Ed Bott wrote at ZDNet.[6]
Pulled from the Wiki article about him, but verified through ZDNet article and a couple of others I poked at.
So, not his first rodeo of insufficient testing and bad practices in a group he is leading...
Upvote
94
(94
/
0)
With respect to a couple of comments here, is it even possible to have written this in a memory-safe language? This runs as Windows as a kernel driver and the Windows kernel is pretty much entirely written in C. I haven't written Windows kernel code in 20+ years, so I could be way out of date, but I don't think you can write a Windows kernel driver in Rust or any other memory-safe language, at least not yet.
Second, while the crash was caused by dereferencing a bad pointer (from the excellent crash dump analysis done by David Plummer, it looks like they were adding an offset to a null pointer and dereferencing that), I'm not sure a memory safe language would've necessarily solved the problem here. It's entirely possible that since the file was invalid/corrupt, it may have triggered some other bad behavior even if a memory safe language prevented them from messing with the bad pointer.
Also, everyone, including CrowdStrike, seems to be missing the most important part: your driver itself should validate its input before doing anything with it. The kernel mode component that loads this should do its own validation prior to doing anything else with the file. I don't care what kinds of validation tools you run back in the home base before it's distributed. Any number of bad things could go wrong between when you tested it and when it gets out to a customer's system. In the end, it's up to the software running on the customer's system to validate the data and do something like log the error instead of blue screening the system. Now, their response says that they plan in "improving" the validation done in the "Content Interpreter." Frankly, it looks like whatever validation they did there was nowhere near up to snuff and I'm not going to hold my breath that they're going to do it right this time.
Second, while the crash was caused by dereferencing a bad pointer (from the excellent crash dump analysis done by David Plummer, it looks like they were adding an offset to a null pointer and dereferencing that), I'm not sure a memory safe language would've necessarily solved the problem here. It's entirely possible that since the file was invalid/corrupt, it may have triggered some other bad behavior even if a memory safe language prevented them from messing with the bad pointer.
Also, everyone, including CrowdStrike, seems to be missing the most important part: your driver itself should validate its input before doing anything with it. The kernel mode component that loads this should do its own validation prior to doing anything else with the file. I don't care what kinds of validation tools you run back in the home base before it's distributed. Any number of bad things could go wrong between when you tested it and when it gets out to a customer's system. In the end, it's up to the software running on the customer's system to validate the data and do something like log the error instead of blue screening the system. Now, their response says that they plan in "improving" the validation done in the "Content Interpreter." Frankly, it looks like whatever validation they did there was nowhere near up to snuff and I'm not going to hold my breath that they're going to do it right this time.
Upvote
65
(67
/
-2)
I wouldn't be at all surprised to seem some vendor switching; and perhaps some segregation of systems along functional lines(so that you don't, say, lose your check-in kiosks and your SQL servers to the same issue); but (at least if one takes the claims of EDR vendors remotely seriously) just slotting in a mix of systems is going to be really, really, tricky.
While they do typically do classical antivirus stuff, quarantining the low-effort known malicious stuff that comes in; the fancy special sauce you are paying for is mostly anomaly detection and correlation(across endpoints; and often with other sources, eg. Palo Alto's integration of Cortex endpoint with Prisma Access IDS) that intends to detect threatening or suspect behavior even in absence of anything for which detection signatures exist.
If you start going with different systems on different endpoints you cut down the pool across which any one can detect anomalies; and, while any credible product will support SIEM integration, it won't necessarily support it at the granularity of "literally every fiddly little thing the internal model chews on"; and even if it does it's still then up to you/your SIEM vendor to draw the correlations across signals coming in from different endpoint sensors; which is not a trivial operation.
Upvote
12
(12
/
0)
We have a customer now that's trying to automate all QA to save money.
I chuckle. Whatever. At least I'm not dealing with their idiot asses.
Upvote
35
(35
/
0)
MedicinalGoat
Ars Centurion
QA/QC doesn't return tangible value on the quarterly report so it must be a waste.
Upvote
44
(44
/
0)
I'd be happy if they allowed you to specify which update was applied to a system, so rapid response updates go immediately to QA and then a day later go to prod, applying updates at midnight to QA and 11:59PM to prod might work to minimize the chance of bugs impacting most systems but with prod spread over almost every time zone it might not as well.
Upvote
6
(6
/
0)
They could have tested on ANY computer they owned...they could have purchased one at any store. One computer is all they needed...but no....
Upvote
38
(38
/
0)
Claverhouse
Ars Centurion
CrowdStrike says it is making changes to its testing and deployment processes to prevent something like this from happening again.
That seems a very good idea.
That seems a very good idea.
Upvote
24
(24
/
0)
It's always the testers fault - it's the engineer's job to put bugs into the code and it's their job to find them.
/s. (sort of).
/s. (sort of).
Upvote
19
(19
/
0)
From the response:
They should have been doing this already. This is what the lawsuits should hinge on.
Upvote
26
(26
/
0)
I'm waiting to get some more details on the Uber Eats thing. So far is there is no official statement and just a few people reporting it on twitter. To me it smells like a joke or a scam.
Upvote
15
(15
/
0)
Someone help me out here. What is the exact dollar-value salary range where you start failing upwards?
If my one-man business was this negligent, I'd never work again. But if you get paid a fortune to run a global corp, when you fail spectacularly through sheer incompetence you just get moved to another c-suite job at a different company, and do it again. Repeat until you retire.
Look at the resumes of half these CEOs etc... and it's a trail of failure. But it's never them that suffers for it. In any sane world the consequence of failure should be higher if you get paid millions because you're supposed to be so special and important.
How much do you have to be paid before everyone suddenly decides that you don't face consequences anymore? Just curious.
Upvote
58
(58
/
0)
I read this more as "they're blaming the testing teams."
Which makes sense, considering they're generally hired to take the blame when something goes wrong.
So we have situations like this where the single point of failure is clearly the team hired to take the blame for failures. /s
Upvote
8
(8
/
0)
Dark Pumpkin
Ars Scholae Palatinae
Here's the Deep Dive analysis of what that means:
This is something anti-virus programs already do to help them detect new threats that haven't been entered into a virus database yet. This wasn't an update to add that capability to CrowdStrike, but rather to update the code involved in that capability.
Upvote
8
(9
/
-1)
This very interesting post goes into the terms of service and basically concludes that "we told you not to use this software on critical systems and if you did, it's on you"
"THE OFFERINGS AND CROWDSTRIKE TOOLS ARE NOT FAULT-TOLERANT AND ARE NOT DESIGNED OR INTENDED FOR USE IN ANY HAZARDOUS ENVIRONMENT REQUIRING FAIL-SAFE PERFORMANCE OR OPERATION."
https://www.hackerfactor.com/blog/index.php?/archives/1038-When-the-Crowd-Strikes-Back.html
Upvote
18
(19
/
-1)
True, but fuzzing would have greatly increased the likelihood of finding the problem before it caused global chaos. The have accepted this as they are now promising to do this in the future.
Upvote
13
(13
/
0)
Upvote
5
(5
/
0)
I worked at a large "northern European" HQ'ed telecoms company: (not saying which one...)
In several of their divisions one of their big pushes is for every single test/QA person to be capable of writing test automation code, and if you're not capable of writing test automation code, you're on the layoff list. (or already gone)
Because "manual" QA is too slow.
The problem is: (I hope to hell all of us realize this) some of the best QA and test people I've ever worked with couldn't write a line of code to literally save their lives (or jobs) but can find bugs, can describe them and can advocate for getting them fixed, and can find stuff that the worlds best automation would never ever find.
And those were the people getting turfed. Despite creativity in finding problems, being effective advocates for customer-facing issues. "Can't write an automated test case? buh-bye"
This is for software that runs the complex networks of the world: where a mis-applied CICD pipelined blob of code will knock major infrastructure offline. (Just ask Rogers in Canada...)
You want eyeballs and a brain on some aspects of that test cycle...
Upvote
45
(45
/
0)
steelcobra
Ars Tribunus Angusticlavius
This exactly, if they'd tested it on even a single VM/metal windows machine they'd have noticed the BSODs.
But I think the bigger sin is still that they think it's OK to have a patch flag that ignores client-deployed staging rings and pushes a patch to all devices so that it can't be isolated at the company side too.
Upvote
16
(16
/
0)
These content configuration updates sound like they are basically virus definition files. If your software is so crappy that a bad data file like that can crash the system then your software doesn't sound very good. I wonder if this same crash would be exploitable as a denial of service attack by crashing the machines or possibly even a Root level code execution? I won't be at all surprised if this is followed up by one or both of those things.
Upvote
14
(16
/
-2)
Yeah like 'Installing it on live computers before we deploy'...you know, the simplest possible solution.
Upvote
10
(10
/
0)
steelcobra
Ars Tribunus Angusticlavius
No, on this Microsoft is stuck, and beholden to their EU anti-trust agreements from the oughts forcing them to allow 3rd party software to operate like this.
https://www.tomshardware.com/softwa...oid-crowdstrike-like-calamities-in-the-future
Upvote
-6
(8
/
-14)
The worst part is you could very easily automate roll out to the test farm. You just need a test side to deploy the thing to a bunch of common configurations in VM's and maybe some on bare metal.
Once automated testing is done, you can then test the rollback mechanism.
Upvote
9
(9
/
0)
steelcobra
Ars Tribunus Angusticlavius
The option was in the standard deployment management console to have staged deployments of all patches.
Crowdstrike hid that they could flag a patch to ignore that and deploy to all anyways.
Upvote
10
(12
/
-2)