On July 19, 2024, CrowdStrike published a Preliminary Post Incident Review (PIR) regarding the Falcon update that was deemed defective. The PIR elucidated that a bug enabled erroneous data to travel through the Content Validator, resulting in the crash of millions of Windows systems.
The cybersecurity company clarified that the problem was the result of a content configuration update that was problematic and intended to collect telemetry on new threat techniques.
Due to the confidence in the previous successful deployments of the underlying Inter-Process Communication (IPC) Template Type, the update did not undergo any additional verifications after passing the Content Validator. Consequently, it was not detected prior to its arrival at online hosts that were operating Falcon version 7.11 or later.
The company promptly acknowledged the error and reversed the update within an hour.
Nevertheless, it was too late by that time. When the Content Interpreter processed the new configuration update, an out-of-bounds memory read occurred, resulting in the shutdown of approximately 8.5 million Windows systems, if not more.