LibreOffice and OpenOffice have pushed updates to fix a vulnerability that allows an attacker to manipulate documents to appear as signed by a trusted source.
Although the severity of the flaw is classified as moderate, the implications could be dire. Digital signatures used in document macros are intended to help the user verify that the document has not been edited and can be trusted.
“Allowing anyone to sign documents containing macros themselves and make them appear trustworthy is a great way to trick users into executing malicious code.
The discovery of the flaw, which is identified as CVE-2021-41832 for OpenOffice, was the work of four researchers from the Ruhr University in Bochum.
The same flaw affects LibreOffice, which is a fork of OpenOffice from the main project over ten years ago, and for their project is tracked as CVE-2021-25635.
Face the risk
If you are using any of the open source office suites, you are advised to upgrade to the latest version immediately. For OpenOffice it would be 4.1.10 and later, and for LibreOffice, 7.0.5 or 7.1.1 and later.
Since neither of these two apps offers automatic updating, you have to do it manually by downloading the latest version from the respective download centers – LibreOffice, OpenOffice.
If you are using Linux and the aforementioned versions are not yet available on your distribution’s package manager, you are advised to download the “deb” or “rpm” package from the Download Center or compile LibreOffice from the sources.
If updating to the latest version is not possible for some reason, you can always choose to completely disable macro features on your office suite, or avoid trusting documents that contain macros.
To set macro security on LibreOffice, go to Tools → Options → LibreOffice → Security, and click on “Macro security”.
In the new dialog box, you can choose from four distinct security levels, High or Very High being the recommended options.
If you are still using an old and vulnerable version, you should not rely on the “trusted list” feature, as an invalid signature algorithm could still cause a linked document to appear because it is from a trusted source.
- New Gummy browser attack allows hackers to spoof tracking profiles
- New Gummy Browsers Attack Lets Hackers Spoof Tracking Profiles
- Office 365 allows admins to block active content on trusted documents
- Microsoft fixes a bug allowing hackers to take over Azure containers
- Download LibreOffice 7.2.2 Productivity Suite