RE: [libreoffice-users] .Doc security risk in MS Office (and .Rtf)

This vulnerability is about a side-loading exploit that will cause a malicious DLL be used instead 
of a standard one.  That there is an avenue to a side-loading vulnerability by placing certain 
documents in the same place as the DLL is an additional door being closed.  Any Windows program 
with an Open ... dialog could be subject to this attack if the search for DLLs is not restricted.

I have no insight on how LibreOffice does DLL searches and whether it had to be repaired since this 
became a concern one year ago.  You'd have to check the CVE lists for whether anything like that 
had to be fixed in LibreOffice, and when.  It might have already been fixed in OpenOffice.org 
before the fork to LibreOffice.

 - Dennis

(I had to deal with this too, but it is basically a "won't fix" in my case: 
<http://odma.info/support/2010/08/X100801.htm>.)


-----Original Message-----
From: Tom Davies [mailto:tomdavies04@yahoo.co.uk] 
Sent: Wednesday, September 14, 2011 13:42
To: users@global.libreoffice.org
Subject: [libreoffice-users] .Doc security risk in MS Office (and .Rtf)

Hi :)
LibreOffice is probably unaffected by this issue as it seems to take advantage of vulnerabilities 
in MS Office.  Apparently a slightly modified version of the exploit  they suffered from last year 
can cause them problems again but there is a security patch for it in the normal MS Office updates 
and this time it is promised that it will really work, unlike the one from last year which they 
also promised would fix it.  

Quite why you would have DLL files in the same folder as a word-processor document or spreadsheet 
is a bit beyond me.  I am a bit disorganised at times but i don't think i ever managed it and it's 
not the default!  (unless you count the desktop or downloads folder where almost anything could be 
dumped).  

The ZdNet article about this gave some good links
http://www.zdnet.com/blog/security/ms-patch-tuesday-warning-opening-legitimate-doc-txt-files-brings-code-execution-risk/9399?tag=nl.e550
Such as this one
http://technet.microsoft.com/en-us/security/bulletin/ms11-072

Someone recently was saying the MS wanted to discourage or even stop the use of .doc to push people 
into using their newer formats which only really work well on their newer products.  All very 
interesting timing or am i paranoid (or both)?  Anyway, it's one more good reason (or 5 according 
to that last link) for using LibreOffice.  
Regards from
Tom :)

-- 
For unsubscribe instructions e-mail to: users+help@global.libreoffice.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted


-- 
For unsubscribe instructions e-mail to: users+help@global.libreoffice.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted