Did a font change in a PDF cause the Crowdstrike fail?

Uwe Ziegenhagen ziegenhagen at gmail.com
Fri Jul 19 18:17:34 CEST 2024


I have some doubts, that this would be the root cause. The issue occured
during the boot of the Windows machines, not during the check of a (PDF)
file.

Uwe

Am Fr., 19. Juli 2024 um 17:12 Uhr schrieb Jonathan Fine <
jfine2358 at gmail.com>:

> Hi
>
> This is prompted by today's Crowdstrike anti-virus failure. It has brought
> many systems down. Its fix often requires a technician to be physically
> present during boot, so that safe-boot and recovery can take place. It will
> be a while before this can be done on all affected machines.
>
> The failure was due to a "content update" to Crowdstrike. According to
> BBC's Joe Tidy, a content update could be "something innocuous [such] as
> changing a font or logo" in the design side of the software. But Joe Tidy
> then goes on to ask: "how could a small update do so much damage?"
>
> Indeed. Perhaps unrelated is the vulnerability CVE-2024-4367, announced on
> 29 May 2024. And the vulnerability is described as "A type check was
> missing when handling fonts in PDF.js, which would allow arbitrary
> JavaScript execution in the PDF.js context." Codean points out that this
> exploit can lead to native code execution on at least one popular electron
> app.
>
> This vulnerability was discovered by Codean Labs. It relies on the PDF
> standard allowing a PDF document "to specify a custom FontMatrix value
> outside of a font, namely in a metadata object in the PDF!" And the lack of
> a type check in PDF.js allows arbitrary JavaScript to be executed in the
> PDF.js context.
>
> I've no way of knowing what was the cause of the Crowdstrike failure. I do
> know that if Crowdstrike used PDF.js then it is plausible that the failure
> is a CVE-2024-4367 exploit. We'll have to wait and see. But surely it is
> clear that Codean has found yet another serious PDF bug, arising from the
> size of the standard and the complexity of the interactions between the
> different parts.
>
> I don't recall how I first became aware of this vulnerability. Here are
> the URLs I quoted from:
> BBC:
> https://www.bbc.co.uk/news/live/cnk4jdwp49et?post=asset%3Abd501d28-fe49-4e4e-8605-194da98eeb6c#post
> NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-4367
> Codeanlabs:
> https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/
>
> The question was did a font change in a PDF cause the Crowdstrike fail? My
> answer is maybe, we'll just have to wait and see.
>
> with kind regards
>
> Jonathan
>


-- 
Dr. Uwe Ziegenhagen
0179-7476050
<http://www.uweziegenhagen.de>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://tug.org/pipermail/texhax/attachments/20240719/7e297f72/attachment.htm>


More information about the texhax mailing list.