<div dir="ltr"><div class="gmail_default" style="font-family:times new roman,serif">I have some doubts, that this would be the root cause. The issue occured during the boot of the Windows machines, not during the check of a (PDF) file.</div><div class="gmail_default" style="font-family:times new roman,serif"><br></div><div class="gmail_default" style="font-family:times new roman,serif">Uwe<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Am Fr., 19. Juli 2024 um 17:12 Uhr schrieb Jonathan Fine <<a href="mailto:jfine2358@gmail.com">jfine2358@gmail.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Hi</div><div><br></div><div>This is prompted by today's Crowdstrike anti-virus failure. It has brought many systems down. Its fix often requires a technician to be physically present during boot, so that safe-boot and recovery can take place. It will be a while before this can be done on all affected machines.</div><div><br></div><div>The failure was due to a "content update" to Crowdstrike. According to BBC's Joe Tidy, a content update could be "something innocuous [such] as changing a font or logo" in the design side of the software. But Joe Tidy then goes on to ask: "how could a small update do so much damage?"</div><div><br></div><div>Indeed. Perhaps unrelated is the vulnerability CVE-2024-4367, announced on 29 May 2024. And the vulnerability is described as "A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context." Codean points out that this exploit can lead to native code execution on at least one popular electron app.<br></div><div><br></div><div>This vulnerability was discovered by Codean Labs. It relies on the PDF standard allowing a PDF document "to specify a custom FontMatrix value outside of a font, namely in a metadata object in the PDF!" And the lack of a type check in PDF.js allows arbitrary JavaScript to be executed in the PDF.js context.</div><div><br></div><div>I've no way of knowing what was the cause of the Crowdstrike failure. I do know that if Crowdstrike used PDF.js then it is plausible that the failure is a CVE-2024-4367 exploit. We'll have to wait and see. But surely it is clear that Codean has found yet another serious PDF bug, arising from the size of the standard and the complexity of the interactions between the different parts.</div><div><br></div><div>I don't recall how I first became aware of this vulnerability. Here are the URLs I quoted from:<br></div><div>BBC: <a href="https://www.bbc.co.uk/news/live/cnk4jdwp49et?post=asset%3Abd501d28-fe49-4e4e-8605-194da98eeb6c#post" target="_blank">https://www.bbc.co.uk/news/live/cnk4jdwp49et?post=asset%3Abd501d28-fe49-4e4e-8605-194da98eeb6c#post</a></div><div>NIST: <a href="https://nvd.nist.gov/vuln/detail/CVE-2024-4367" target="_blank">https://nvd.nist.gov/vuln/detail/CVE-2024-4367</a></div><div>Codeanlabs: <a href="https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/" target="_blank">https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/</a></div><div><br></div><div>The question was did a font change in a PDF cause the Crowdstrike fail? My answer is maybe, we'll just have to wait and see.<br></div><div><br></div><div>with kind regards</div><div><br></div><div>Jonathan<br></div></div>
</blockquote></div><br clear="all"><br><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div>Dr. Uwe Ziegenhagen</div><div>0179-7476050<br><<a href="http://www.uweziegenhagen.de" target="_blank">http://www.uweziegenhagen.de</a>></div></div></div>