This vulnerability is about a side-loading exploit that will cause a malicious DLL be used instead
of a standard one. That there is an avenue to a side-loading vulnerability by placing certain
documents in the same place as the DLL is an additional door being closed. Any Windows program
with an Open ... dialog could be subject to this attack if the search for DLLs is not restricted.
I have no insight on how LibreOffice does DLL searches and whether it had to be repaired since this
became a concern one year ago. You'd have to check the CVE lists for whether anything like that
had to be fixed in LibreOffice, and when. It might have already been fixed in OpenOffice.org
before the fork to LibreOffice.
- Dennis
(I had to deal with this too, but it is basically a "won't fix" in my case:
<http://odma.info/support/2010/08/X100801.htm>.)
-----Original Message-----
From: Tom Davies [mailto:tomdavies04@yahoo.co.uk]
Sent: Wednesday, September 14, 2011 13:42
To: users@global.libreoffice.org
Subject: [libreoffice-users] .Doc security risk in MS Office (and .Rtf)
Hi :)
LibreOffice is probably unaffected by this issue as it seems to take advantage of vulnerabilities
in MS Office. Apparently a slightly modified version of the exploit they suffered from last year
can cause them problems again but there is a security patch for it in the normal MS Office updates
and this time it is promised that it will really work, unlike the one from last year which they
also promised would fix it.
Quite why you would have DLL files in the same folder as a word-processor document or spreadsheet
is a bit beyond me. I am a bit disorganised at times but i don't think i ever managed it and it's
not the default! (unless you count the desktop or downloads folder where almost anything could be
dumped).
The ZdNet article about this gave some good links
http://www.zdnet.com/blog/security/ms-patch-tuesday-warning-opening-legitimate-doc-txt-files-brings-code-execution-risk/9399?tag=nl.e550
Such as this one
http://technet.microsoft.com/en-us/security/bulletin/ms11-072
Someone recently was saying the MS wanted to discourage or even stop the use of .doc to push people
into using their newer formats which only really work well on their newer products. All very
interesting timing or am i paranoid (or both)? Anyway, it's one more good reason (or 5 according
to that last link) for using LibreOffice.
Regards from
Tom :)
--
For unsubscribe instructions e-mail to: users+help@global.libreoffice.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted
--
For unsubscribe instructions e-mail to: users+help@global.libreoffice.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted
Context
Privacy Policy |
Impressum (Legal Info) |
Copyright information: Unless otherwise specified, all text and images
on this website are licensed under the
Creative Commons Attribution-Share Alike 3.0 License.
This does not include the source code of LibreOffice, which is
licensed under the Mozilla Public License (
MPLv2).
"LibreOffice" and "The Document Foundation" are
registered trademarks of their corresponding registered owners or are
in actual use as trademarks in one or more countries. Their respective
logos and icons are also subject to international copyright laws. Use
thereof is explained in our
trademark policy.