Word for Mac closes when using Zotero 6.0.27 plugin [caused by CrowdStrike antivirus software]

dstillman · September 6, 2023

This discussion was created from comments split from: Word (Mac) crashes when adding Footnote (Report ID: 197542060).

Latest update: https://forums.zotero.org/discussion/comment/443522/#Comment_443522

bethhoppe · September 6, 2023

I updated to 6.0.27 this morning and now every time I try to add a citation in Word (16.76.1), Word immediately crashes. I have restarted both programs, my computer entirely, and tried reinstalling the plugin.

sgoold · September 6, 2023

I'm having the same problem, same versions of Zotero and Word for Mac.

jhimmelreich · September 6, 2023

there seem to be a bunch of reports in the last 24hrs related to add citation in word
https://forums.zotero.org/discussion/comment/442907/#Comment_442907

dstillman · September 6, 2023

@bethhoppe, @sgoold: If you reinstall Zotero 6.0.26 over your current version in Applications, close Word, and reinstall the plugin from the Cite → Word Processors pane of the Zotero settings, does that fix it?

dstillman · September 6, 2023

We've pulled 6.0.27 for now, so you can re-download 6.0.26 from the download page, install it over your current version in Applications, and reinstall the plugin from the Cite → Word Processors pane of the Zotero settings to fix this. Your data won't be affected, and you won't be updated to 6.0.27. We'll release 6.0.28 soon with a fix. Sorry for the trouble.

sgoold · September 6, 2023

now it works. thanks

rwt123 · September 6, 2023

Hi @dstillman, I work at a university and have 1 person reporting this and what is happening is the AV/endpoint security program is blocking it. We use Crowdstrike. Our security team has a case with Crowdstrike about it as a false positive.

Reverting to 6.0.26 did not work. Word 16.76.1. M2 Macbook Air on 13.4.1 but it happened on an older OS version too.

Can't replicate this on an Intel Mac on 13.5.1

dstillman · September 6, 2023

@rwt123: It would be reverting to 6.0.26, reinstalling the Word plugin from the Zotero settings, and restarting Word. If that doesn’t fix it it’s not the same issue. This was a new problem in 6.0.27 (though we can’t reproduce it, so if it is caused by AV software that would make sense, and it would be great to know if that’s the case).

dstillman · September 6, 2023

@sgoold and others who were affected by this: Do you know if your computer has Crowdstrike AV software on it?

carolduhleong · September 7, 2023

This was happening to me today too. The fix suggested above worked for me. I do have Crowdstrike Falcon on my work computer. I deeply appreciate this thread - I use Zotero every day all day so I was sad until this fix. :)

elichten · September 7, 2023

With 6.0.27 today my Word wasn't crashing but it popped up an error box when trying to do anything with the Zotero plugin (set preferences, insert reference). I was able to drag references from Zotero into a new Word document (without formatting). Installing 6.0.26 restored Zotero Word plug-in functionality. It looks like my university uses Crowdstrike Falcon. The application is on my computer (which was set up by campus IT), and I found this page: https://itservices.cas.unt.edu/software/antivirus-crowdstrike-setup-mcafee-removal.

Thanks for the quick fix!

dstillman · September 7, 2023

Important: If you were experiencing this, please report it to your IT department and have them report it to CrowdStrike ASAP, and let us know if you hear back that it's been fixed. This isn't a problem in Zotero at all~~, and while we've temporarily pulled 6.0.27 due to this problem with CrowdStrike, we do need to put 6.0.27 back out soon~~.

[Update: This has been fixed by CrowdStrike, as noted below, and we've re-released 6.0.27. If you're still seeing this, ask your IT department to update CrowdStrike to allow this. Staying on 6.0.26 isn't an permanent fix.]

pgcudahy · September 7, 2023

It happened to me as well with Crowdstrike Falcon. Reverting to 6.0.26 fixed the issue.

ahmontgo · September 7, 2023

Same here. Reverting to 6.0.26 *and* reinstalling the Word plugin fixed it. My IT has reported it to Crowdstrike.

rubytuesdayZ · September 7, 2023

This fix worked for me - thank goodness. Wish I would have found this thread much sooner! Also, I do have Crowdstrike Falcon on my computer. Thank you!

dstillman · September 13, 2023

For those who have reported this to their IT departments or CrowdStrike (e.g., @rwt123), have you heard back about any fix here? We do need to release 6.0.27.

rwt123 · September 14, 2023

@dstillman we did receive a notice on 9/8/23 that "CrowdStrike engineers allowlisted the activity related to Zotero", so I would expect that you are alright there.

dstillman · September 14, 2023

@rwt123: OK, great. We've now made 6.0.27 available again to Mac users. Thanks for identifying the problem and for reporting it to CrowdStrike.

elichten · September 18, 2023

@dstillman, Zotero just auto-updated again on my computer and the Word plugin stopped working. My university was going to report the issue to Crowdstrike, but has not told me what they heard back.

dstillman · September 18, 2023

@elichten: You should ask your IT department to make sure they've updated to the latest CrowdStrike rules (or however it works). This was never a problem in Zotero, and there's nothing else we can do here.

eduser · September 26, 2023

Hi I just wanted to reignite this conversation. I am an admin at my institution and we use Jamf protect for AV. Jamf Protect isn't blocking the plugin like others have experienced on Cloud Strike since we haven't configured it to do this. However we are receiving multiple email alerts every time someone is running Zotero 6.0.27.

I see you are now using Curl to make the http request between the plugin and the Zotero app. It looks like this new method is what is being deemed a risk by various AV products.

I will post the information from our alerts here for context as to why it is being seen as a security risk:

SuspiciousOfficeActivity
Microsoft Office runs a number software child processes on the regular. This analytic looks for some of the ones used frequently in attacks that do not occur regularly under the Office suite implying a malicious Office macro may have been executed.

curl (8974)
Process Arguments

curl -s -o /dev/null -I -w %{http_code} -X GET http://127.0.0.1:23119/integration/macWordCommand?agent=MacWord16&command=addEditCitation&document=/Applications/Microsoft Word.app/&templateVersion=2

bash (8973)
Process Arguments

sh -c curl -s -o /dev/null -I -w '%{http_code}' -X GET 'http://127.0.0.1:23119/integration/macWordCommand?agent=MacWord16&command=addEditCitation&document=/Applications/Microsoft Word.app/&templateVersion [26 characters truncated]

We have stopped updating Zotero to this latest version due to these many alerts we receive multiple times per user on version 6.27.

I could create a rule in our AV to exempt these alerts, but this would be for any alerts triggered by the curl command. Not something I feel comfortable doing.

I would suggest maybe revisiting the changes you have made to the way the plugin works. It concerns me that this is the way forward since it appears to be a method used by malware developers and Apple/AV view it as a risk.

dstillman · September 27, 2023

@eduser: I'm not sure what you mean by "Apple" viewing it as a risk — this is about false positives in AV software. The flagging here has nothing to do with Apple.

Unfortunately we just don't currently have an alternative here. macOS Sonoma makes app-sandboxing changes that prevent the previous Word-to-Zotero communication method from working without triggering a permissions prompt every single time you start Zotero, with no way to allow it permanently. That's just not an acceptable user experience, so communicating via HTTP to localhost is the only option. And we can't detect the macOS version from within Word, so we need to switch to this method for all macOS versions.

You should report this to Jamf. Having default detectors flag an unexpected process call is fine, but they obviously should be able to allow exceptions at a more granular level than the process name. There's nothing dangerous or unusual about using localhost HTTP for IPC.

We're working with Microsoft to improve a new Word API so that we can offer a new, greatly improved version of the plugin, which among other things should eliminate the need for the curl call (though it will still use localhost HTTP). That likely won't be available until next year, though.

JSwim · September 29, 2023

I went to the download link provided in this email chain. It is still downloading 6.0.27 and my word program is still crashing.

dstillman · September 29, 2023

@JSwim: As explained above, there was no problem in Zotero itself here, and we've re-released 6.0.27, which is required for macOS Sonoma compatibility. If you have CrowdStrike installed, you'll need to ask your IT department to update it to fix this false positive, as discussed above. There's a link to 6.0.26 above, but staying on 6.0.26 isn't an option — it won't work in macOS Sonoma, things will stop working eventually, and we can't provide support for old versions.

JSwim · September 29, 2023

Thanks for the note. I did contact them and sent them to this email chain. I'll try again with this response.