Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Bug Security

LibreOffice, OpenOffice Bug Allows Hackers To Spoof Signed Docs (bleepingcomputer.com) 7

LibreOffice and OpenOffice have pushed updates to address a vulnerability that makes it possible for an attacker to manipulate documents to appear as signed by a trusted source. Although the severity of the flaw is classified as moderate, the implications could be dire. BleepingComputer reports: The discovery of the flaw, which is tracked as CVE-2021-41832 for OpenOffice, was the work of four researchers at the Ruhr University Bochum. The same flaw impacts LibreOffice, which is a fork of OpenOffice spawned from the main project over a decade ago, and for their project is tracked as CVE-2021-25635. If you're using either of the open-source office suites, you're advised to upgrade to the latest available version immediately. For OpenOffice, that would be 4.1.10 and later, and for LibreOffice, 7.0.5 or 7.1.1 and later. Since neither of these two applications offer auto-updating, you should do it manually by downloading the latest version from the respective download centers -- LibreOffice, OpenOffice. If you're using Linux and the aforementioned versions aren't available on your distribution's package manager yet, you are advised to download the "deb", or "rpm" package from the Download center or build LibreOffice from source. If updating to the latest version is not possible for any reason, you can always opt to completely disable the macro features on your office suite, or avoid trusting any documents containing macros.
This discussion has been archived. No new comments can be posted.

LibreOffice, OpenOffice Bug Allows Hackers To Spoof Signed Docs

Comments Filter:
  • It's classified as moderate because nobody in their right mind should have trust in a word or OO doc.

    Or more specifically, full trust in the type of person who would send something critically important in a word doc.

    I'm glad they fixed the bug, but I don't see it as a big problem.

  • by brunoblack ( 7829338 ) on Monday October 11, 2021 @06:04PM (#61881889)

    I didn't even know Open Office could sign documents. I just use gpg to sign files so I can sign any files I want, not only the ones produced by Open Office. This way, anybody can easily check the signatures even if they don't use Open Office at all.

    • It also kinda-sorta can sign PDFs when exporting. The problem is that nobody would trust these PDFs on Windows, because Adobe Reader thinks they are modified after signing. See https://bugs.documentfoundatio... [documentfoundation.org], and note that the number of spams on that almost 3-year old bug.

  • by FeelGood314 ( 2516288 ) on Monday October 11, 2021 @07:30PM (#61882065)
    I helped write the standard for signing for many IoT device firmware updates and it is much harder to get right than you think. You have to know both who is supposed to be signing the file and have a way to get the correct signers public signing key correctly. You also might have the possibility of only having part of a very large file but still want to validate the part that you have. Something like pgp is easy because the hard part of securely getting the correct public key of the signer is already done.

If you have a procedure with 10 parameters, you probably missed some.

Working...