CrowdStrike Falcon Archives

Winsage

November 19, 2024

New Windows 11 recovery tool to let admins remotely fix unbootable devices

Microsoft is introducing a feature called "Quick Machine Recovery" to help IT administrators remotely fix unbootable systems via Windows Update, following a significant outage in July 2024 caused by a problematic update to the CrowdStrike Falcon software. This outage affected various critical sectors globally, leading to issues like boot loops and the Blue Screen of Death for users. The Quick Machine Recovery feature will allow targeted fixes without physical access to the machines and is expected to roll out in early 2025 for Windows 11 Insider Program participants. Additionally, Microsoft is working with security vendors on the Microsoft Virus Initiative (MVI) to develop tools that allow security software to operate outside the Windows kernel, reducing risks associated with kernel-level access. This initiative includes adopting Safe Deployment Practices for gradual and monitored updates. A private preview of these developments will be available in July 2025. Microsoft has also launched a new Windows 11 administrator protection feature and is focusing significant resources on security challenges through its Secure Future Initiative (SFI).

Winsage

October 9, 2024

October 2024 Patch Tuesday: Updates and Analysis

Microsoft released a patch for CVE-2024-43572, a vulnerability in the Microsoft Management Console, rated Important with a CVSS score of 7.8, allowing remote code execution through malicious MSC files. Another patch was issued for CVE-2024-43573, a Moderate spoofing vulnerability in the Windows MSHTML Platform with a CVSS score of 6.5, affecting multiple Microsoft products. Additionally, three critical vulnerabilities were identified: CVE-2024-43468 in Microsoft Configuration Manager (CVSS score 9.8), CVE-2024-43488 in the Arduino extension for Visual Studio Code (CVSS score 8.8), and CVE-2024-43582 in the Remote Desktop Protocol Server (CVSS score 8.1). The CrowdStrike Falcon® platform introduced a Patch Tuesday dashboard for tracking vulnerabilities, and organizations are encouraged to adopt comprehensive cybersecurity strategies beyond just patching.

Tech Optimizer

September 28, 2024

How XDR is replacing traditional anti-virus software and why you need it in your business

XDR (Extended Detection and Response) is a sophisticated alternative to traditional anti-virus software, particularly for enterprise environments. It employs advanced technologies for enhanced system protection and often includes endpoint protection. XDR differs from EDR (Endpoint Detection and Response) by aggregating threat data from various security layers, including email gateways, cloud environments, and networks, allowing it to identify threats like lateral movement. Traditional anti-virus software primarily relies on signature detection and often requires manual intervention from IT teams, while XDR integrates these functionalities with a holistic approach, analyzing connections and behaviors across the network for proactive threat management. Businesses handling sensitive information or operating in regulated industries are increasingly adopting XDR due to its ability to automate detection and response processes. In contrast, traditional anti-virus solutions remain sufficient for individual consumers, as most consumer-targeted attacks are less sophisticated.

Tech Optimizer

September 24, 2024

MSSP Market News: Bitdefender Debuts Hardening and Attack Surface Tech

Bitdefender has introduced GravityZone Proactive Hardening and Attack Surface Reduction (PHASR) technology, which adapts security policies based on user behaviors. Integrity360 launched Continuous Threat Exposure Management (CTEM) as a Service in partnership with XM Cyber to help organizations manage cybersecurity risks. EC-Council released the Certified Ethical Hacker CEH v13, enhanced with AI capabilities for ethical hacking training. Rapid7 expanded its Managed Threat Complete solution to include third-party detections from CrowdStrike, SentinelOne, and Microsoft. DigiCert acquired Vercara, enhancing its cloud-based security services. ArmorCode added new modules for penetration testing management to its Application Security Posture Management platform. Chenega Corporation and CyberSheath achieved a perfect score on the Joint Surveillance Voluntary Assessment (JSVA), crucial for CMMC 2.0 compliance.

Tech Optimizer

September 20, 2024

macOS Sequoia change breaks networking for VPN, antivirus software

Users of macOS 15, also known as 'Sequoia,' are experiencing network connection issues with certain endpoint detection and response (EDR) solutions, VPNs, and web browsers, particularly with CrowdStrike Falcon and ESET Endpoint Security. These problems seem to resolve when the tools are deactivated, indicating a compatibility issue with the operating system's network stack. Firewall configurations are causing packet corruption and SSL failures, affecting command-line tools like 'wget' and 'curl.' CrowdStrike has advised customers against upgrading to macOS 15 due to significant changes in networking structures, and similar warnings have been issued by SentinelOne Support. Users have reported connectivity issues with Mullvad VPN and corporate VPNs, while ProtonVPN appears to function without problems. ESET recommends removing ESET Network from the filters in System Settings to restore network functionality for certain versions of their software. Security researcher Wacław Jacek has suggested a temporary fix for firewall issues, and Mullvad VPN is aware of the problems and is working on a resolution. Users relying on EDR products, VPNs, or strict firewall configurations may want to delay upgrading to macOS 15 until these issues are resolved.

Winsage

August 15, 2024

August 2024 Patch Tuesday: Updates and Analysis | CrowdStrike

Microsoft's August 2024 Patch Tuesday addressed 85 vulnerabilities, including six zero-day exploits. The vulnerabilities are categorized as CVE-2024-38213, CVE-2024-38193, CVE-2024-38189, CVE-2024-38178, CVE-2024-38107, and CVE-2024-38106. Six vulnerabilities are classified as Critical, while the remaining 79 are rated Important or Moderate. The predominant risk types include elevation of privilege (37%) and remote code execution (35%). Windows products received 43 patches, with 21 for the Extended Security Update (ESU) and 8 for Microsoft Office. Notable zero-day vulnerabilities include: - CVE-2024-38189 in Microsoft Project (CVSS 8.8) allows remote code execution. - CVE-2024-38193 in Windows Ancillary Function Driver for WinSock (CVSS 7.8) allows privilege escalation. - CVE-2024-38107 in Windows Power Dependency Coordinator (CVSS 7.8) allows privilege escalation. - CVE-2024-38178 in the Scripting Engine (CVSS 7.5) allows remote code execution. - CVE-2024-38106 in the Windows kernel (CVSS 7.0) allows privilege escalation. - CVE-2024-38213 in Windows Mark of the Web Security (CVSS 6.5) allows security warning bypass. Critical vulnerabilities include: - CVE-2024-38063 (CVSS 9.8) in Windows TCP/IP allows remote code execution. - CVE-2024-38140 (CVSS 9.8) in Windows Reliable Multicast Transport Driver allows remote code execution. - CVE-2024-38109 (CVSS 9.1) in Azure Health Bot allows privilege escalation. - CVE-2024-38159 and CVE-2024-38160 (both CVSS 9.1) in Windows Network Virtualization allow remote code execution. - CVE-2023-40547 (CVSS 8.8) impacts Secure Boot. Additional vulnerabilities with existing proof of concept include: - CVE-2024-38199 (CVSS 9.8) in Windows Line Printer Daemon allows remote code execution. - CVE-2024-38202 (CVSS 7.3) in Windows Update Stack allows privilege escalation. - CVE-2024-21302 (CVSS 6.7) in Windows Secure Kernel Mode allows privilege escalation.

Winsage

August 12, 2024

Windows 11/10 system driver has BSOD-triggering CVE-2024-6768 flaw on fully updated PCs

A significant disruption occurred in the global landscape of Windows enterprise and business PCs due to a flawed CrowdStrike Falcon IPC Template Type, causing Blue Screens of Death (BSODs). Cybersecurity firm Fortra discovered a new vulnerability, CVE-2024-6768, in the Common Log File System (CLFS.sys) driver of Windows, affecting all versions of Windows 10 and Windows 11. This vulnerability is caused by improper validation of input data, leading to a denial-of-service-triggered BSOD. A crafted .BLF file can allow an unprivileged user to induce a system crash. The attack requires local access to the system. This flaw is similar to CVE-2023-36424, which Microsoft addressed in November 2023 updates.

Tech Optimizer

August 5, 2024

Cybercriminals taking advantage of CrowdStrike-linked global computer outage

A global IT outage caused by a flawed software update from CrowdStrike has led to increased cybercriminal activity, with phishing campaigns and malware distribution targeting individuals and businesses. The outage, which began at 1:20 a.m. ET on Friday, affected organizations reliant on Windows computers using CrowdStrike Falcon, resulting in widespread system failures. The Department of Homeland Security's Cybersecurity & Infrastructure Security Agency (CISA) has issued a warning about the surge in online criminal activity and advised caution when interacting with communications related to the incident. CrowdStrike's CEO, George Kurtz, acknowledged the disruption and the company's efforts to assist affected customers. CrowdStrike is working to deploy a previous version of its Falcon software and has provided workaround steps for users experiencing issues.

Winsage

August 2, 2024

Microsoft veteran shares Windows NT, 3.1, 95 Blue Screen of Death (BSOD) origin story

In July 2024, a global disruption occurred due to a flawed update from CrowdStrike Falcon, identified as a problematic IPC Template Type in their Preliminary Post Incident Review. Microsoft later provided an explanation of the incident. Raymond Chen, a Microsoft developer, clarified authorship of the Blue Screen of Death (BSOD) in a blog post, stating there is no mystery regarding its creation. The original blue screen, referred to as the "blue screen of unhappiness," was created by Steve Ballmer for Windows 3.1. The first true BSOD kernel error was designed by John Vert for Windows NT 3.1 in 1993. Raymond Chen designed the BSOD for Windows 95, which allowed users to bypass the error message. The Windows 98 BSOD gained notoriety during a COMDEX keynote in 1998.

Winsage

July 28, 2024

Microsoft Breaks Windows: July Security Patch Results In Remote Users Getting Disconnected Ever

Microsoft experienced a global outage linked to the CrowdStrike Falcon issue, affecting millions of users and various sectors, including banking and healthcare. Following this, a security update caused connectivity issues for Windows Server users, leading to disconnections every 30 minutes. The problem originated from security updates released in July, which disrupted remote desktop connections for organizations using the legacy RPC over HTTP protocol. Users reported frequent disconnections, particularly on Windows 2019 servers. Microsoft acknowledged that certain Windows Server versions might face Remote Desktop Connectivity challenges due to these updates. The affected Windows Server releases include Windows Server 2022 (KB5040437), 2019 (KB5040430), 2016 (KB5040434), 2012 R2 (KB5040456), and 2012 (KB5040485). Microsoft is working on a solution and has suggested interim workarounds, such as blocking specific connections through firewall software and modifying the registry on client devices.