CrowdStrike learned from patchmageddon

CrowdStrike has published a post-incident review (PIR) of a faulty software update responsible for shutting down 8.5 million Windows servers and workstations. THE document blames a bug hiding in the test software for the inadequate validation of the content update that reached end users, the company itself essentially admitted that the update was not properly tested before it was released into a production environment.

Learning from the incident, the security firm promised to test content updates more thoroughly in the future, improve its bug management processes, and to gradually deploy updates to larger parts of its install base, rather than pushing them to all systems at once.

Falcon Sensor software is used by businesses around the world to mitigate the risk of malware and security incidents, so it’s unfortunate that the content configuration update that was released was the one that caused Windows to crash, but the incident also highlights the dangers for security software vendors past practices.

According to the company’s explanation, the Falcon Sensor application for preventing attacks against computer systems includes a Sensor Content that defines the capabilities of the technology and is updated with information about new threats with Rapid Response Content packages. Friday’s outage was essentially caused by a 40KB Rapid Response Content file.

By definition, companies install updates automatically, as there is no time to test and try everything, cloud services are also meant to facilitate this process, with the help of which the services can stay up-to-date. CrowdStrike released two Rapid Response Content updates last week, but a bug in Content Validator caused one of the two copies to pass despite containing problematic content data, the company admits. The sensor loaded the problematic Rapid Response Content package into the Content Interpreter, causing a memory management error that eventually led to the systems crash and blue death.

CrowdStrike added that it will run a stability test and other tests on Rapid Response content, as well as update its cloud-based technology that verifies Rapid Response packets.

Source: www.hwsw.hu