Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

LibreOffice Releases Software Update to Patch 3 New Vulnerabilities

The team behind LibreOffice has released security updates to fix three security flaws in the productivity software, one of which could be exploited to achieve arbitrary code execution on affected systems.

Tracked as CVE-2022-26305, the issue has been described as a case of improper certificate validation when checking whether a macro is signed by a trusted author, leading to the execution of rogue code packaged within the macros.

“An adversary could therefore create an arbitrary certificate with a serial number and an issuer string identical to a trusted certificate which LibreOffice would present as belonging to the trusted author, potentially leading to the user to execute arbitrary code contained in macros improperly trusted,” LibreOffice said in an advisory.

Also resolved is the use of a static initialization vector (IV) during encryption (CVE-2022-26306) that could have weakened the security should a bad actor have access to the user’s configuration information.

Lastly, the updates also resolve CVE-2022-26307, wherein the master key was poorly encoded, rendering the stored passwords susceptible to a brute-force attack if an adversary is in possession of the user configuration.

The three vulnerabilities, which were reported by OpenSource Security GmbH on behalf of the German Federal Office for Information Security, have been addressed in LibreOffice versions 7.2.7, 7.3.2, and 7.3.3.

The patches come five months after the Document Foundation fixed another improper certificate validation bug (CVE-2021-25636) in February 2022. Last October, three spoofing flaws were patched that could be abused to alter documents to make them appear as if they are digitally signed by a trusted source.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related News

Ferrari Discloses Ransomware Attack; Refuses to Pay Ransom

Ferrari Discloses Ransomware Attack; Refuses to Pay Ransom

Ferrari, the renowned Italian luxury car manufacturer, suffered a cyber incident that compromised the company’s client data. According to a…
ChatGPT Bug Exposes Conversation History Titles

ChatGPT Bug Exposes Conversation History Titles

A ChatGPT user on Reddit first reported the bug after noticing Chinese language characters in the title of their conversation…
Breach Forums to Remain Offline Permanently

Breach Forums to Remain Offline Permanently

The decision to shut down the Breach Forums came after the admin noticed someone had logged into an old forum…