The Crowdstrike crash revealed a fundamental flaw in how security suite software is packaged with Microsoft. Because it operates at the device level in the kernel (Ring 0), it has to be packaged as a signed device driver that goes through Microsoft’s rigorous testing protocols. But because it also has to respond immediately to Zero day vulnerabilities, it can’t wait for a new signed driver to be approved.
This is why they use DEF files to patch the driver code. The signed driver code reads the DEF file to get updated p-code that must run in the kernel memory. The latest DEF file release contained bad code that caused a NULL exception in the kernel memory, resulting in a BSD.
Crowstrike’s regression testing should have caught this, and they have a lot to answer for.
One of my friends at Microsoft said he had nightmares about someone on the windows update team doing something much worse than this.
I worry about it too.