Happened what ?
If your windows pc didn't crash in the last 2 or 3 days, consider yourself in luck because over 8.5 million computers around the world did because of two software companies - Microsoft and Crowdstrikeπ . It all started with Troy hunt (Founder of have I been pwned ) tweeting about people reaching out to him because their windows went to BSOD or also known as blue screen of death π€‘
Chaos broke out all around the world and it created drastic situations like where people were stuck and stranded in hotels , airports and credit card machines and banks which were all down completely and and even the holy Skynews was not able to broadcast live tv and had to go down for a while , some supermarkets started accepting only cash and airports doing manual check-ins and written boarding pass , the list goes on.
Stock Update : it went down for 30% in the past 5 days π±
Stuntman on the run
While the whole world was in chaos and struggling to meet the people needs , a random guy on twitter : Vincent Flibustier came out and fooled people all around the world by telling that he was the reason behind Crowdstrike crash and he was the one who pushed the code and also claimed he got fired by the company but the fact he was never hired in the first place
This photo went viral within minutes and already has nearly 4 lakh likes and has been shared by over 36,000 users but he got a mixed reaction of both people loving him because they got a day off and hating him because they lost their work because he couldnt do his properly but soon it was revealed and his twitter bio was changed "Viral stuntman" seems appropriate i guess.
Fixing possible ?!?!
Can we fix it ?? Yes but can anyone fix it ?? No
Stay with me here let me explain :
Basically its more of a Crowdstrike fault then a microsoft fault but before seeing that, the way to remediate your pc is to
Before everything below : restart and troubleshoot π
Open your pc in safe mode which god knows how to
- to open in safe mode you need to bypass the bitlocker key entry it seems π€‘and for bypassing you can spam f4 or f11 in specific computers or it may not bypass
Go to this particular directory %WINDIR%\System32\drivers\CrowdStrike directory
Delete the file Channel file βC-00000291*.sysβ with timestamp of 2024-07-19 0409 UTC
Getting your bitlocker key is becoming difficult for more people, stay in touch with Crowdstrike people they giving out updates every hour
Video by Crowdstrike : https://www.youtube.com/watch?v=Bn5eRUaMZXk
Another way :
But the truth is an average man wont be able to understand any of this let alone open the pc in safe mode and do all those cmd navigations and its all fricked up
Are you apologetic ??
All this happening and the Crowdstrike CEO comes out and addresses the issue inm a very unapologetic way at least that's what i feel :
This might be one of the TOP 10 WORST responses from someone who is directly or indirectly should be responsible for the whole problem and must take whole responsibility and one thing which bothers me the most is I dont see the word "sorry" in this whole paragraph and its more like the whole paragraph was mended and modified by lawyers and board members so if we dont understand what is he trying to say perhaps it means they did a frickin good job.
Microsoft or Crowdstrike
WTH actually happened was :
Crowdstrike -> New update ( with π) -> Microsoft pushed -> π₯
the patch update according to twitter was that the patch runs in kernel mode which is for monitoring system activity at a low level and as it was running the code tried tro access information from a invalid memory locations which triggered panic and showed the so called BSOD (credits : Arpit Bhayani )
In-depth Analysis
While ZachVorhies addressed this whole thing was a NULL pointer issue but it was more than that and it was addressed later by Travis Ormandy and Patrick Wardle and came on live television , I myself is not into cybersecurity so if you find anything wrong let me know so here's what happened :
Travis tested the CSAgent.sys module with ZachVorhies theory which caused the fault using a compiler called Godbolt and it didnt match showing maybe Zach was incorrect and he examined the module and identified certain bytes 45 8b 08 at csagent+0xe35a1
associated with the fault and found a NULL check before the dereference so issue was not just a null pointer but something more complex and code was supposed the read pointers from a table in loop and some pointers were invalid due to configuration file had some uninitialized entries and patrick's observations also proved the existence of invalid pointers which was far from NULL proving both their observations and this all might seem overwhelming and this is all just general knowledge
So what now ??!?!
At the end of the day ,its we the customers who should demand more transparency from cybersecurity companies and all these companies think they protect us so we do everything they asked for and its high time we stop doing that and understanding that we are not idiots and this is something shouldn't be repeated ππ
thanks for reading until the end of the article and I hope i am gonna write articles every week so see you next week.
Subscribe to my newsletter to get my blogs into your inbox if you wish π
Follow me on my Socials : Twitter Linkeldn
Tweets : https://www.one-tab.com/page/cb_HDKfwTPq77QeKKjNP7w