LibreOffice’s latest update addressed several vulnerabilities related to macro execution and web connection password protection. Developers included the patches in both stable (version 7.2) and unstable (version 7.3) channels of the product.
The latest release fixed three significant security flaws:
LibreOffice encompasses macro execution support and, by default, only allows users to run them if they’re signed by a trusted certificate or stored in a trusted file location. The app performs a cross-check to determine a certificate’s legitimacy and denies the macro execution if no matches are found.
Attackers could easily replicate a valid certificate from the user’s configuration database to circumvent this protection feature. LibreOffice versions 7.2.7 respectively 7.3.2 and later are no longer vulnerable to the Improper Certificate Validation flaw, as the feature was amended.
It’s worth noting that the CVE-2022-26305 flaw can’t be exploited if the user has no trusted certificates in their database or if their macro security level is set to “very high.” To review or change your macro security settings, follow these steps:
Tools
menuOptions
screenLibreOffice
menuSecurity
submenuMacro Security…
buttonSecurity Level
tab, set the level to Very High
OK
, Apply
, then OK
to save your configurationThe second flaw, tracked as CVE-2022-26306, weakened the master key’s encryption by using the same initialization vector. Perpetrators with access to the user’s configuration database could decrypt the master key. LibreOffice’s latest release implemented unique initialization vectors to strengthen encryption. Furthermore, the app now requires users to input their master password to re-encrypt old, vulnerable stored configuration data.
Finally, the third security flaw involved poor encoding that left master keys vulnerable to brute-forcing by lowering their entropy from 128-bit to 43-bit. As before, this flaw could only be exploited if the perpetrator had access to the user’s configuration database. The vulnerability has been patched for versions 7.2.7 (stable), 7.3.2 (unstable), and newer.
Microsoft also sought to curb macro-based attacks by disabling VBA macros by default in several of its products. While the tech giant went back and forth with its decision, it seems to have settled that turning off macros in the Office suite seems to be the better choice.
tags
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.
View all postsSeptember 06, 2024
September 02, 2024
August 13, 2024