In July 2024, CrowdStrike encountered a significant issue involving their Falcon endpoint detection and response product. This problem was initially discovered by Modzero, a Swiss security firm, which highlighted a vulnerability in the Falcon Sensor. The sensor, designed to prevent its uninstallation without a special token, could be bypassed by attackers with administrative privileges on Windows devices, allowing them to remove the sensor and thus the protection provided by CrowdStrike's product.

The disclosure process was contentious. Modzero preferred not to use CrowdStrike's HackerOne-based bug bounty program and sought an alternative method for reporting the vulnerability. This led to a series of exchanges in which CrowdStrike initially could not reproduce the issue and later downplayed its significance, although they acknowledged the problem by flagging Modzero’s proof-of-concept as malicious and taking steps to mitigate it in newer versions.

The vulnerability, identified as CVE-2022-2841, involves the Microsoft Installer (MSI) failing to correctly handle custom actions during uninstallation, which can be exploited by terminating specific processes. CrowdStrike noted that exploiting this flaw requires specialized software, local administrator access, and a system reboot, which limits the overall risk. Despite this, they informed their customers and reported the bug to Microsoft.

In a separate incident, on July 18, 2024, CrowdStrike's Falcon agent update caused connectivity issues and reboots for some Windows instances, Windows Workspaces, and Appstream applications. This problem was documented in the AWS Health Dashboard, and efforts were made to resolve the disruptions caused by this update.

For more details, you can refer to CrowdStrike's and Modzero's official statements on the issue, as well as the AWS Health Dashboard for information on the connectivity problems caused by the Falcon agent update.