The last few days, we can’t turn on the news without hearing about the Blue Screen of Death (BSOD) caused by CrowdStrike’s Falcon product affecting millions of enterprise users worldwide.  It brought down airlines, 911 call centers, courts, hospitals, banks, airports, TV broadcasters, supermarkets, mass transit, schools and even affected the Olympics.  

CyberStrike Chief Executive, George Kurtz, issued a statement claiming that this “is not a security incident or cyberattack.” (CrowdStrike.com, 2024)

I and others disagree.

A Cybersecurity incident is an event that causes harm to your environment or impact upon the organization prompting the need for response or recovery. All machines which do not automatically reboot and fix themselves, require human intervention to boot into safe mode and remove a file.

CrowdStrike claims the issue was caused by “single content update” (Warren, 2024) and “logic error.” (CrowdStrike.com, 2024)

Other industry leaders claim the update was full of null characters, triggering “dangerous null pointer exception.” (HackerNews, July), code was riddled with defects that should not have passed standards in established security frameworks, and “the root cause appears to be an update to the kernel level driver that CrowdStrike uses to secure Windows machines. (TheVerge.com, 2024)

Software is usually designed not to interact at the kernel level. When a program operates at the kernel level, ANY vulnerability in that program can potentially open the door to and/or break the entire system. If exploited, such vulnerabilities can lead to serious security breaches.

While user mode agents have the same privileges as other common applications, kernel mode agents have access to the heart of a system, giving malicious actors free rein during an exploit.

We saw this in the SolarWinds attack in 2021, and knew better then. Because the SolarWinds application ran in kernel mode, it allowed attackers to fly under the radar for over a year, and steal data from at least nine US government agencies and 100 private companies.  Running an application in kernel mode makes it fairly easy for malicious actors to use it to perform illicit activities undetected.

With that said, this author also finds it hard to believe that an industry leader like CrowdStrike suddenly decided not to follow software developing frameworks and coding security best practices and controls.

I suspect we will see the true depth of this Cybersecurity incident in the years to come, and likely find out it was either a Man-in-the-middle attack, or an insider threat which caused the problem with the file. Of course, this is something that could likely have been prevented by encrypting the file while in transit and checking the file hash before applying to the endpoint.