On July 19, CrowdStrike pushed out an update that put Windows machines around the world into a BSOD reboot loop. On August 6, CrowdStrike releases a document explaining what went wrong. It begins rather braggadociously.

The CrowdStrike Falcon sensor delivers powerful on-sensor AI and machine learning models to protect customer systems by identifying and remediating the latest advanced threats.

😎

Template Instances consist of regex content intended for use with a specific Template Type.

Template Instances are defined using a UI driven by the Template Type Definitions file.

Content Validator: Checks the validity of channel files against their definition in the Template Type Definitions file.

IPC Template Instances are delivered as Rapid Response Content to sensors via a corresponding Channel File

Sensors that received the new version of Channel File 291 carrying the problematic content were exposed to a latent out-of-bounds read issue in the Content Interpreter. […] [A]nd resulted in a system crash

Template Instance validation should expand to include testing within the Content Interpreter

The impression one gets is of a web UI CrowdStrike’s threat detection engineers use to enter new regexes which must pass some checks but which are then delivered to customers without full integration testing.

Source document. Mirror.