I’m not sure people care about the technical details any more, but Microsoft published their own in-depth analysis in a blog post recently:
In their blog post, CrowdStrike describes the root cause as a memory safety issue—specifically a read out-of-bounds access violation in the CSagent driver.
Note that one new piece of information we got from this MS blog post is that far more than 8.5 million PCs were affected - those were just the PCs that were set up to report details of crashes. Microsoft didn’t say how many more, just that the 8.5M were a “subset” of the affected machines.
On the crash:
…we can see in the disassembly that there is a check for NULL before performing a read at the address specified in the R8 register…Our observations confirm CrowdStrike’s analysis that this was a read-out-of-bounds memory safety error in the CrowdStrike developed CSagent.sys driver.
So, not a NULL pointer (for which Crowdstrike did have a check in the code), but a bad pointer, which is somewhat harder to check for. But (unsaid in the blog), presumably using Try/Catch handling would have the driver not actually crash on errors such as these.
Microsoft tamely and indirectly criticizes Crowdstrike’s approach:
It is possible today for security tools to balance security and reliability. For example, security vendors can use minimal sensors that run in kernel mode for data collection and enforcement limiting exposure to availability issues. The remainder of the key product functionality includes managing updates, parsing content, and other operations can occur isolated within user mode where recoverability is possible. This demonstrates the best practice of minimizing kernel usage while still maintaining a robust security posture and strong visibility.
IOW, Crowdstrike should have moved more stuff, like parsing content and updates, out of the kernel driver into regular user mode applications that are less likely to prevent systems from rebooting.
The rest of Microsoft’s blog post is mostly about the security mechanisms already in Windows, including its Microsoft Defender product.