Comments by "Mikko Rantalainen" (@MikkoRantalainen) on "Diving into the embarrassing engineering behind CrowdStrike" video.

  1. 5:10 From the information I've seen I've understood that there was not logic in the update files, just data structures. But Crowdstrike kernel mode driver had such a low implementation quality that it doesn't verify the data that is passed in from the user mode or filesystem. As far as I know, this is an absolute no-no in kernel mode programming so the true cause of this failure is shoddy implementation by Crowdstrike kernel developer team. It's also a nice demo how little benefit WHQL certification can actually provide.
    1
  2. It's still too early to tell for sure but it appears that the update file doesn't contain executable code and the actual bug is totally missing input validation in the kernel driver. I would expect that they do sign the update files and blindly trust the contents of the update file. (As long as the signature is correctly signed and correctly verified, verifying the update file on server side should be equally safe to doing the file verification in the kernel driver.) (1) However, assuming the update files were actually signed, the server didn't do the verification either! (2) And if the update files were not digitally signed, this poorly written kernel driver simply did zero verification for its input files! In the end, it doesn't really matter if either (1) or (2) is the reality. Crowdstrike obviously has MAJOR skill issue and shouldn't be writing kernel drivers at all.
    1