When I wrote my first post about Crowdstrike I had a feeling that it was not as simple as it looked. My initial assumption was that their driver has a bug, but I have the following issues with this assumption:

  1. How can they deploy a new driver to many computers and never see any issues if this driver prevents Windows from starting up?
  2. How driver can update itself? Technically it is possible but I never heard of that. Keep in mind, that updating the driver from the user mode application could be a potential vulnerability.
  3. Also, I was thinking about how the driver can identify a crash during Windows startup and switch to some kind of safe mode to avoid this problem in the first place. But it also looks like a vulnerability. All you need to force the driver into this mode to disable it.