1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Malicious documents can hijack Apache OpenOffice

    From TechnologyDaily@1337:1/100 to All on Tue Sep 21 11:45:03 2021
    Malicious documents can hijack Apache OpenOffice

    Date:
    Tue, 21 Sep 2021 10:28:55 +0000

    Description:
    Vulnerability has managed to evade detection for several years.

    FULL STORY ======================================================================

    Cybersecurity researchers have discovered a remote code execution (RCE) vulnerability in Apache OpenOffice (AOO) , which can be abused through a malicious file to execute malware on the machine.

    The vulnerability tracked as CVE-2021-33035 was highlighted by Eugene Lim at HackerOne's Hacktivity online conference, who has just started foraying into vulnerability research.

    AOO isnt as widely used as its other open source fork, LibreOffice , and had its last official release back in May. Still, the office suite has clocked hundreds of millions of downloads, leaving virtually all users vulnerable. Heres our roundup of the best laptops for programming Check our list of these best Python courses Start your web development journey with these best HTML courses

    Interestingly, while the app's source code has been patched, The Register reports that the fix has only been made available as beta software.

    "We endeavor to roll the release for Apache OpenOffice 4.1.11 within the month, hopefully sooner, and publish the CVE-2021-33035 before the release," said Dave Fisher, on behalf of the AOO Project Management Committee (PMC), in a statement to The Register . Escaping scrutiny

    Instead of focussing on a particular software, Lim was advised to direct his attention on file formats. A quick search led him to the dBase database file (DBF) format, which was created over four decades ago, but is still used as a data storage mechanism by modern apps such as Microsoft Office, LibreOffice, and AOO.

    In a technical blog sharing details about the vulnerability, Lim explains how he was able to find the RCE bug in DBF without too much effort.

    This begged the question: why did no one discover this bug earlier? As an open-source program, OpenOffice would undoubtedly have been automatically scanned by various static code analysers, which would have easily picked up the unsafe memcpy, writes Lim.

    A little research led him to the code analysis platform that runs tests on open source projects, which has tagged AOO as a Python and JavaScript
    project, and not as a C++, leading to the scanner missing the vulnerability.

    This demonstrates the importance of sanity-checking automated static analysis tools; if your tools dont know the code exists, it cant find those vulnerabilities, explains Lim. These are the best JavaScript courses
    currently available

    Via The Register



    ======================================================================
    Link to news story: https://www.techradar.com/news/apache-openoffice-can-be-hijacked-by-malicious- documents-fix-still-in-beta/


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)