CrowdStrike Incident Analysis
twitter.comNeither Tavis Ormanady's, Patrick's or the C++ professional's posts go into detail of how the bug works in CrowdStrike's Falcon sensor. All of it just pointing to a debugger/disassembly output and casting some predictions. (for me personally I trust Tavis' analysis because ... well its his field of specialty over the last decade or so).
But still, none of the tweets mentioned come close to even explaining the issue (as in why the .sys channel update file being filled with zeros leading the CS driver to actually crash, the actual bug in the driver and what how it would've functioned normally before the faulty .sys file was pushed).
for reference, to see the whole tweet without twitter account:
it isn't filled with zeroes, why are people saying that?
Some people on twitter and mastodon were saying that, but they also said the file's contents weren't identical across machines... chances are the zeroed-out files were preallocated and not written to because the system crashed.
Some comments theorise that the NUL-file was deployed to fix the issue with the corrupt file that caused the crashes.
I don't like his style of communication.