if (CrowdStrike[20] == null)
August 8, 2024
So, after tens of thousands of Windows PCs running enterprise-level anti-malware software got taken down by, erm, the anti-malware software to the extent that every machine required manual intervention, CrowdStrike, the vendor of said anti-malware software has published a report detailing what caused this embarrassing (for them) incident…
12 pages of politician-level flim-flam to describe the fact they did not check the length of an array before accessing the 21st element.
As you read through that report, remember someone got paid some serious money to write over 3,900 words including a detailed disassembly debug to explain that no bounds-checks were done at runtime, and how that somehow “evaded multiple layers of build validation and testing”.
This is enterprise-level multi-million-dollar corporate shizzle, and their testing did apparently not include actually trying to boot a machine with the update installed, or any tests to check that the expected number of inputs matched the actual number of inputs.
The absolute state of corporate software development is something to behold.
EOL