In the last few days, CrowdStrike and Microsoft they have been working with them to help customers affected by the problem, the mass of the Windows BSOD (the blue death) is triggered by an update to the misconception of the CrowdStrike, which the CEO of CrowdStrike, George Kurtz now, and was called to the witness before the National Commission, the safety and Security of the Chamber of Deputies.
In addition to providing a solution to address this issue, CrowdStrike has been published already in the report of his advance about the incident, identify the cause, as the main driver of the CSagent.sys, the outside of which interfered with the systems of the Windows.
Microsoft confirms the analysis of the CrowdStrike
Microsoft recently published an analysis of the technical details of the fault caused by the head of CrowdStrike, thus confirming the findings of the present to the past.
The fall of the millions of computers to the Windows, was caused by an error in the driver CSagent.sys developed by CrowdStrike. More specifically, it was a mistake, the safety and security of the memory that led to a one a read beyond the limits of the permissible. Provider CSagent.sys in an attempt to access a piece of memory, he read in a zone outside of the zone allocated to the process.
This kind of reading is it wrong, is called the “out-of-bounds”, to violate the protection of the memory, and it is potentially very dangerous, as it may overwrite the data, paste it into the cache, and put at risk the integrity of the system. The module is registered to the PC, to the Windows, as a leading maker of the system, the files to get notifications about the operations of a file, allowing for security products, including CrowdStrike, the skanojnë any file to a new store on the hard disk.
The debate on the access level of the kernel and the software and other third-party
The incident has raised a lot of criticism over the decision of Microsoft to allow the the developers of the software by the parties to a third partya. the access layer in the kernel. In the post, and his blog, Microsoft explained the reasons for this choice, stating that both the drivers and the kernel to allow visibility to the entire system, with the ability to be loaded early on in the process, start to uncover the security threats and higher performance in certain situations. However, the company also recognises the risks that are associated with the execution of the leaders of the mode the kernel.
The recommendations from Microsoft for the balance of the security and confidence
Microsoft suggests that the vendors of the software of safety and security to find the right balance between the needs of the competitive, when the design choices of their own. On the one hand, there is the need to have visibility to the wider skills and control of the system to detect and to prevent security threats in a way that is effective. On the other hand, there is the risk that the internal functioning at the level of the kernel, the core of the operating system.
A common mistake in this way, it can be catastrophic to the stability of the system. For the balance of these aspects, Microsoft recommends keeping the bare minimum of components to operate in a mode kernelby limiting the collection of data in the core and in the implementation of the security policy. The majority of the functionality should be implemented in the mode of the user, which is a little less critical.
Furthermore, as Microsoft points out that the very Windows now integrates the mechanisms of a double security against malware and attacks, all of which need to be used properly by the vendor of the software to third parties.
Plans for the future, to prevent similar issues
Although the vast majority of the PCS with the Windows to be affected by this problem, are once again on the line, Microsoft is looking to the future, to prevent similar situations. The company is, in fact, it intends to provide guidance on the spread of the safe to update to product safety to reduce the need for drivers in the kernel for access to the important data security, to ensure the capability of the biggest insulation and anti-interference, and to allow the approach to Zero Trust.
Discussion about this post