Technology @lemmy.world Aatube @kbin.melroy.org 3 days ago

CrowdStrike downtime apparently caused by update that replaced a file with 42kb of zeroes

twiiit.com christian_taillon (@christian_tail)

You're correct. Full of zeros at least.

…according to a Twitter post by the Chief Informational Security Officer of Grand Canyon Education.

So, does anyone else find it odd that the file that caused everything CrowdStrike to freak out, C-00000291-
00000000-00000032.sys was 42KB of blank/null values, while the replacement file C-00000291-00000000-
00000.033.sys was 35KB and looked like a normal, if not obfuscated sys/.conf file?

Also, apparently CrowdStrike had at least 5 hours to work on the problem between the time it was discovered and the time it was fixed.

189

189 comments

I'm not a dev, but don't they have like a/b updates or at least test their updates in a sandbox before releasing them?
I wonder how many governments and companies will take this as a lesson on why brittle systems suck. My guess is most of them won't... It's popular to rely on very large third party services, which makes this type of incident inevitable.
The fact that a single bad file can cause a kernel panic like this tells you everything you need to know about using this kind of integrated security product. Crowdstrike is apparently a rootkit, and windows apparently has zero execution integrity.
Imagine the world if those companies were using Atomic distribution and the only thing you would need to do is to boot the previous good image.
This file compresses so well. 🤏
Every affected company should be extremely thankful that this was an accidental bug, because if crowdstrike gets hacked, it means the bad actors could basically ransom I don't know how many millions of computers overnight

Not to mention that crowdstrike will now be a massive target from hackers trying to do exactly this
school districts were also affected.. at least mine was.
If it had been all ones this could have been avoided.
Ah, a classic off by 43,008 zeroes error.
If I had to bet my money, a bad machine with corrupted memory pushed the file at a very final stage of the release.

The astonishing fact is that for a security software I would expect all files being verified against a signature (that would have prevented this issue and some kinds of attacks

d'00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000!

have they ruled out any possibility of a man in the middle attack by a foreign actor?
How can all of those zeroes cause a major OS crash?

You've viewed 189 comments.