AT GROUND LEVEL
Instances passed validation despite containing problematic content data .
Based on the testing performed before the initial deployment of the Template Type , trust in the checks performed in the Content Validator , and previous successful IPC Template Instance deployments , these instances were deployed into production .
When received by the sensor and loaded into the Content Interpreter , problematic content in Channel File 291 resulted in an out-of-bounds memory read triggering an exception . This unexpected exception could not be gracefully handled , resulting in a Windows Operating System BSOD crash .
The channel file responsible for system crashes on Friday , July 19 , 2024 beginning at 04:09 UTC was identified and deprecated on operational systems . When deprecation occurs , a new file is deployed , but the old file can remain in the sensor ’ s directory . Out of an abundance of caution , and to prevent Windows systems from further disruption , the impacted version of the channel file was added to Falcon ’ s known-bad list in the CrowdStrike Cloud .
No sensor updates , new channel files , or code was deployed from the CrowdStrike Cloud . For
FUTURE REMEDIATION CrowdStrike makes changes to testing
• Local developer testing
• Content update and r ollback testing
• Stress testing , fuzzing and fault injection
• Stability testing
operational machines , this is a hygiene action . For impacted systems with strong network connectivity , this action could also result in the automatic recovery of systems in a boot loop . �
• Content interface testing
• Add additional validation checks to Content Validator
• Enhance existing error handling in the Content Interpreter
CrowdStrike makes changes to content deployment
• Implement a staggered deployment strategy for Rapid Response Content in which updates are gradually deployed to larger portions of the sensor base , starting with a canary deployment .
• Improve monitoring for both sensor and system performance , collecting feedback during Rapid Response Content deployment to guide a phased rollout .
• Provide customers with greater control over the delivery of Rapid Response Content updates by allowing granular selection of when and where these updates are deployed .
www . intelligentbuild . tech 31