LibreOffice handlers defend suite

Interview The Document Foundation, custodian of LibreOffice, has defended the security of the suite after attempts to repair a code execution error turned out to be "partial."

"So far in the history of LibreOffice we have been able to patch all security issues before they reached the end user," said a spokesman The Reg . "For the latter, we have a patch for version 6.2.5 which unfortunately is partial because there are other ways to activate the vulnerability. This will be patched in version 6.3, which will be released next week, and in 6.2.6." [19659003] Illustration of a bomb in an email “/>

Fix LibreOffice now to thwart silent macro viruses, and here we show you how to look for those who have not done it

READ MORE

The problem relates to the LibreLogo function, which converts simple graph drawing instructions in the Python document to execute. By connecting the LibreLogo Run command to document events, the arbitrary Python code can be executed automatically. This code can execute system commands to take over the computer.

According to this notice last month, CVE-2019-9848 was revealed to the LibreOffice team on June 4, it is believed that it was fixed with the release of version 6.2. 5 on July 1, and was revealed to the public on July 26. However, a few days later, users noticed that the fault was still present.

We asked the foundation why version 6.1.6, known to be vulnerable, was still prominent on the download page, and indeed recommended for commercial users. "We maintain two versions and for business implementations we suggest the previous one because it is more proven," they told us.

Shortly after our interview, the foundation said that version 6.1.6 had been removed from its prominent position, although it is of limited comfort since 6.2.5 is a bit better since it is still vulnerable.

Another problem is why the built-in LibreOffice macros still run without asking even when macro security is set to the highest level. "The problem in this case is not a macro, it is a program that triggers Python," they told us. "The default LibreOffice configuration will not run any type of macro. The next patch will cover all the potential ways to activate LibreLogo, but we are also evaluating the transformation of LibreLogo into an extension, to be more secure."

  Macros, or not macros? These will run without asking in any security settings. "Title =" Macros or not macros? These will run without asking in any security settings. "Height =" 500 "width =" 648

Macros or not macros? These will run without asking in any security configuration

Despite this statement, the LibreLogo Run command certainly looks like a macro. It is in the LibreOffice library, where it appears in the "LibreOffice Macros" list. That said, these are not user macros. "They run because they are part of the LibreOffice installation. They have been there for years and have not given any problems." Many of them, we were told, "have been there since the time of OpenOffice," referring to the fact that LibreOffice was a fork of what is now Apache OpenOffice.

Unfortunately, the age of the code is not proof of its security. It also seems questionable that these macros omit security settings, although we were also told that "they were verified twice at the time of CVE-2018-16858, where it was known that integrated scripts could be silently called from event handlers of documents ". This previous vulnerability was reported in November 2018.

The foundation maintains that it has high safety standards. "Although we are an open source project, we have more than 100 million users, probably about 200 million users. We have a group of specialists who handle security, exactly as it is for a company like Microsoft. We have people working in companies such as Red Hat that are responsible for the security of LibreOffice. We use a number of tools, such as Coverity Scan, as one of the sources of potential vulnerability information. We also work with security laboratories that perform penetration tests. Vulnerability data, you will see that the number that affects LibreOffice is quite limited.

"ODM (OpenDocument) files are much safer than Microsoft Office files, because they are cleaner, easier to understand and more consistent."

What happens now? In a couple of weeks, everything is going well, both current versions will be replaced by fixed releases. Meanwhile, the advice is to disable LibreLogo.

"The suggestion for users is always be very careful with what they open," the foundation added. This is true, of course, but malicious emails may seem convincing, and inevitably not all users will follow best practices.

The episode has clouded the news that the UK government has joined the advisory board of The Document Foundation. "We believe that open standards are important to meet the needs that users have of the Government and that ODF plays an important role in helping to accomplish this," said John Strudwick, interim director of Design and Assurance of Services in the Government Digital Service . If that enthusiasm extends to running LibreOffice in government offices, we hope they have taken care of deactivating LibreLogo. ®

Sponsored:
Balancing consumerization and corporate control

For More Updates Check out Blog, Windows Softwares Drivers, Antivirus, Ms Office, Graphic Design Don’t Forget to Look Our Facebook Page Get Into Pc like us & follow on Twitter- @getinpc

Please Note: This content is provided and hosted by a 3rd party server. Sometimes these servers may include advertisements. igetintopc.com does not host or upload this material and is not responsible for the content.