9/9/2023 0 Comments Mucommander open with linux![]() However, the captured content can be passed on through subsequent revisions and recipients. In some forms of the exploit, once information is captured, there are no further captures. ![]() The captured material is no use if the resulting saved document is not returned to someone who knows to look for it. The exploit requires that you open and use a document or template from an unreliable or unknown source (or that someone you do trust has managed to do this and sent the result to you). WHO IS VULNERABLE AND WHAT TO DO IF YOU THINK YOU ARE ![]() Saved PDF documents will also be exploit-free so long as the form of PDF that preserves the original ODF document as an "attachment" is not used. Saved HMTL documents will, likewise, be stripped of any exploit. Using the converters that are part of, Apache OpenOffice, and LibreOffice is sufficient. Note that it is not necessary to have Microsoft Office. This only works if any loss of fidelity is tolerable of course. pptx, etc., and then brought back from those formats should not contain any exploit. That is a way to scrub suspicious documents and templates so long as any loss of fidelity is tolerable when going down-level and back.ĭocuments saved as. The suppliers of such products should be consulted directly for confirmation.ĭocuments saved as ODF 1.0/1.1 should not preserve any exploit. Some other supporters of ODF format have indicated that their products do not support the feature of ODF 1.2 format that is the carrier of the exploit. I suspect that documents containing the exploit can't pass through Google Docs, but I haven't tested it. Microsoft Office converters from ODF to Office (as used with Office 2003, for example) do not have the vulnerability. Microsoft Office 2007/2010 ODF support does not have the vulnerability. Lotus Symphony has never had the vulnerability. Pre-3.0 versions of OO.o should not have the vulnerability. OTHER RELEASES/PRODUCTS THAT DO NOT HAVE THE VULNERABILITY Any unpatched recent versions will continue to have the vulnerability until patched or replaced, of course. The latest (since March 1) Apache OpenOffice developer previews are free of the vulnerability.Īll previous releases back to OO.o 3.0 presumably have the vulnerability (since that was the start of claimed ODF 1.2 support). The patched versions of OO.o 3.3.0 and Oracle OO.o-dev 3.4, are free of the vulnerability. Consult the site and blog for details.Īll LibreOffice releases preceding those identified as repaired remain vulnerable. My understanding is that later (since January) LO 3.4.x releases have the fix as do the LO 3.5.x releases and release candidates. LibreOffice reported CVE-2012-0037 today concurrent with the agreed lifting of the embargo. If it is saved as ODF 1.0/1.1, there might also be no harm, although this case requires some testing to confirm.)Īs was reported, it is relatively easy to craft an ODF 1.2 document that can exercise the exploit when opened by a vulnerable application. Hamilton wrote:Here is my personal assessment around the CVE-2012-003 that was announced concurrent with a patch release for OpenOffice 3.3.0 today.įirst, the vulnerability is related to use of ODF 1.2 document format in a manner that causes information from the user's computer to be covertly accessed and captured inside the document when it is saved. Patch, and for porting it or adapting it to derivativesĬredit: The Apache OpenOffice project acknowledges and thanks theĭiscoverer of this issue, Timothy D. Source and Building: Information on obtaining the source code for this This vulnerability is also fixed in Apache OpenOffice 3.4 dev Mitigation: 3.3.0 and 3.4 beta users should install the Data leakage then becomes possible when thatĭocument is later distributed to other parties. Locally- accessible files into the ODF document, without the user's By crafting an external entity to refer to other localįile system resources, an attacker would be able to inject contents of other ![]() In which external entities are processed in certain XML components of ODFĭocuments. Versions Affected: 3.3 and 3.4 Beta, on all platforms.ĭescription: An XML External Entity (XXE) attack is possible in theĪbove versions of. The patch is made available under theĪpache License, and due to its importance, we are releasing it outsideĬVE-2012-0037: data leakage vulnerability ![]() Legacy users as a service by the Apache OpenOffice Note: This security patch for is made available to If someone else supports or manages your desktop, then pleaseĪdditional support is available on our Community Forums: If you are an 3.3 user, andĪre able to apply the mentioned patch, then you are encouraged to do Please note, this is the official security bulletin, targeted for ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |