Zotero Word Plug-in blocked by Carbon Black

MargaretGESalud · May 22, 2024

Hello,

At my University, we are using Carbon Black as a security program. Since it was installed, I can no longer use my Zotero word plug-in on my Mac. This is what my IT person said:

"Unfortunately, there isn't anything else we can do Carbon Black wise as Zotero is a problematic add-on when used from a Mac device. As far as why, I'd guess it was running a non-compliant OS version for the CB version that was running previously which puts the sensor into bypass and was likely recently upgraded and switched it to a supported version which took the sensor out of bypass."

Does anyone have recommendations on what can be done to fix this? Thx.

dstillman · May 22, 2024

I've never heard of Carbon Black (from VMware, apparently), but your IT department would need to report this to them and get this fixed as a false positive. I have no idea what they think they mean by "Zotero is a problematic add-on when used from a Mac device", but that's obviously ridiculous. If they have specific technical questions, we can answer them.

dstillman · May 22, 2024

(And given that your university library has recommended Zotero for years, you might be able to enlist their help in intervening with IT.)

dstillman · May 22, 2024

And as for why this would've changed, Zotero needs to use a different communication method from Word to Zotero for macOS Sonoma. Sonoma came out last fall, but if you only recently upgraded to Sonoma and CB is blocking HTTP requests to localhost from Word, you'd get a communication error from the plugin.

Your IT department can test the request in question by running this from Terminal:

curl -s -o /dev/null -I -w '%{http_code}' -X GET 'http://127.0.0.1:23119/integration/macWordCommand?agent=MacWord16&command=addEditCitation&document=/Applications/Microsoft%20Word.app/&templateVersion=2'

With Zotero open, this should return 200 and open the document preferences window or citation dialog.

MargaretGESalud · May 22, 2024

Thank you so much! I've sent this information to my IT colleagues and we are working to identify the root of the problem. I appreciate your time and attention to helping us.

zanderpegues · June 1, 2024

Hello, my name is Zander and I work in the IT Security department at UNM Health Sciences Center.

I would like to clarify that the issue is that on the Sonoma version of macOS our VMware - Carbon Black (CB) is blocking word’s attempt to launch SH. Note that CB is not blocking the Zotero application, CB is blocking Word's call to SH. Is there something we can present to CB that would indicate this word call to SH is initiated by the Zotero application.

dstillman · July 26, 2024

@zanderpegues: Sorry for not responding at the time. It looks like people from your university are still experiencing this.

We currently have no other way of connecting from Word to Zotero in Sonoma, so you'd need to work with VMware to figure out a way to stop blocking the plugin's legitimate calls.

zanderpegues · July 30, 2024

Thanks for the reply @dstillman, we are now having a more widespread issue with this. Students with personal devices who do not have Carbon Black on their Mac’s are now either not able to download or use Zotero. One teacher reported the following: All of her students brought their own laptops to class, and unfortunately, every single student had a Mac. Half of the students couldn’t even download Zotero onto their laptops. Needless to say, the class was difficult to teach, and it was hard convincing students that this is a useful product and something that will make their life easier.

Our best guess is that any antivirus system installed on these student’s personal machines must also be blocking Zotero. We are hoping you are able to find a way to resolve this issue on the Zotero end as we do not have the capability or rights to manipulate personally owned/managed devices.

dstillman · July 30, 2024

@zanderpegues: You’d have to say more, or send them here. Zotero is developed primarily on Macs, and there’s certainly no general problem running Zotero on macOS. Macs also generally wouldn’t have AV software unless it’s something recommended or required by your institution (and we’re not aware of any AV software other than Carbon Black that’s interfering with Zotero at all, let alone blocking it from running).

m_w_mm · 2024-09-04T21:56:23+00:00

[Merged from a separate thread — D.S.]

We experienced similar problems with Carbon Black with Mac running Sonoma. It appears that Zotero wants to allow Word on Macs to run scripts. We could assign an exception for Zotero, but it is an unsigned app, so we can't narrow it down. We aren't willing to give unlimited permission to run scripts from Word. Our users are mad at cybersecurity, but we are hoping Zotero will address the issue.

On PCs with Carbon Black, it runs fine, because the launch mechanism within Windows is different.

adomasven · 2024-09-05T05:42:46+00:00

This is not going to change in the near future. The Zotero plugin in Word needs to communicate to Zotero, and the only way to do it at the moment on Sonoma and later is to run an AppleScript command (which in turn performs a HTTP request to Zotero).

dstillman · 2024-09-05T05:59:42+00:00

We could assign an exception for Zotero, but it is an unsigned app, so we can't narrow it down.

@m_w_mm: Just to clarify, Zotero is a signed app, and has been for many years. The thing Carbon Black would be flagging here is Word calling curl, because HTTP is the only way we can currently communicate with Zotero on Sonoma and up. If you have some way to allow specific command lines, that would be an option. But the only actual apps involved here are Word and curl.

dstillman · 2024-09-05T06:12:46+00:00

@m_w_mm: I've merged your posts into this existing thread. FWIW, your university is the only one we've gotten reports from about this since this change for Sonoma a year ago.

zanderpegues · 2024-09-06T16:50:58+00:00

I'd like to further clarify, word doesn't seem to be calling curl directly; word is calling /bin/sh, which then should launch the curl command. We're not even getting to the point where the curl command is being used, it's the call from word directly to /bin/sh that is the concern. While those are both legitimate applications/processes it's the interaction between the two processes that Carbon Black causes the security concern.

Screenshot of Carbon Black alert:
https://s3.amazonaws.com/zotero.org/images/forums/u14405699/l9smoygfwyygxd4rs5gv.png

m_w_mm · 2024-09-06T18:20:24+00:00

Did I not read in another thread that Crowdstrike is choking on this as well? Indeed, we are also puzzled why others aren't reporting it. Our speculation is that there are not a lot of orgs running AV/EDR on corporate-owned Macs running Sonoma. We talked with Apple about this week and the rep thought that was a plausible explanation. BTW, the Apple rep also had some suggestions for how to do the calls more securely. Happy to pass that info along if Zotero is interested.

As mentioned in an earlier post, signing the app would be a simple interim solution, since we could specifically whitelist Zotero, as opposed to allowing these types of calls for any application. Zotero has us in a real bind, because many users rely on it. Yet with ransomware an existential threat to universities, we can't ignore cybersecurity vulnerabilities like this.

m_w_mm · 2024-09-06T18:37:15+00:00

Sorry, I wasn't specific - the /bin/sh call is not signed. --Mike

dstillman · 2024-09-06T18:57:01+00:00

@zanderpegues:

I'd like to further clarify, word doesn't seem to be calling curl directly; word is calling /bin/sh, which then should launch the curl command. We're not even getting to the point where the curl command is being used

We use the do shell script AppleScript command, called from VBA via either the MacScript function or a Zotero.scpt file run via the AppleScriptTask function. I would expect that the full command line includes the curl command we're running. Other programs apparently have no problem seeing it.

@m_w_mm:

Did I not read in another thread that Crowdstrike is choking on this as well?

I meant we haven't heard from anyone else using Carbon Black other than from your university. But no: CrowdStrike was blocking this initially, and they fixed it last September, within a few days of it being reported. The people you need to complain to here are VMware.

the /bin/sh call is not signed

This is not a phrase that means anything. "calls" aren't signed. /bin/sh is part of the OS. There's nothing from Zotero that can be signed that isn't signed. Again, the Zotero app is signed, but that's not relevant here, because the call is coming from Word.

BTW, the Apple rep also had some suggestions for how to do the calls more securely. Happy to pass that info along if Zotero is interested.

I mean, you're obviously welcome to repeat what they said, here or in an email to support@zotero.org. We're working with Microsoft on Word API improvements that will make it possible to integrate another way, but as it is, this is the only way we're aware of of doing this communication in Sonoma and later, and Carbon Black's competitor apparently had no problem allowing just these curl commands a year ago.

dstillman · 2024-09-06T19:25:50+00:00

how to do the calls more securely

we can't ignore cybersecurity vulnerabilities like this.

Also, I want to be very clear here: there is absolutely nothing insecure about what Zotero is doing. This is not a “vulnerability”. We are making a fixed set of curl calls to our own app via localhost. Any competent security vendor should be able to allow just those commands.