So, #CrowdStrike posted a preliminary incident report, and, boy…
For them, the problem is the faulty data that was fed to the driver, but not the fact that the driver should not crash when given corrupt or faulty data? One can only hope that’s just the bandaid, and the full RCA will also point out the need for enhancements on the parsing side… Surely they’ve heard of the robustness principle?
They’ll fix their tests but not test the updates with the actual Falcon running on actual Windows - what could go wrong…
They don’t see concurrency as a problem when clearly the “reboot 15 times” points to a non-deterministic behavior that should not be allowed.
https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/