LibreOffice Releases Software Update to Patch 3 New Vulnerabilities

Cyber Security

Products You May Like

The team behind LibreOffice has released security updates to fix three security flaws in the productivity software, one of which could be exploited to achieve arbitrary code execution on affected systems.

Tracked as CVE-2022-26305, the issue has been described as a case of improper certificate validation when checking whether a macro is signed by a trusted author, leading to the execution of rogue code packaged within the macros.

CyberSecurity

“An adversary could therefore create an arbitrary certificate with a serial number and an issuer string identical to a trusted certificate which LibreOffice would present as belonging to the trusted author, potentially leading to the user to execute arbitrary code contained in macros improperly trusted,” LibreOffice said in an advisory.

Also resolved is the use of a static initialization vector (IV) during encryption (CVE-2022-26306) that could have weakened the security should a bad actor have access to the user’s configuration information.

Lastly, the updates also resolve CVE-2022-26307, wherein the master key was poorly encoded, rendering the stored passwords susceptible to a brute-force attack if an adversary is in possession of the user configuration.

CyberSecurity

The three vulnerabilities, which were reported by OpenSource Security GmbH on behalf of the German Federal Office for Information Security, have been addressed in LibreOffice versions 7.2.7, 7.3.2, and 7.3.3.

The patches come five months after the Document Foundation fixed another improper certificate validation bug (CVE-2021-25636) in February 2022. Last October, three spoofing flaws were patched that could be abused to alter documents to make them appear as if they are digitally signed by a trusted source.

Products You May Like

Articles You May Like

Scientists Uncover Invisible Ambipolar Electric Field Around Earth for First Time, New Study Reveals
Here’s How AI is Helping Astronomers to Understand Universe’s Fundamental Parameters
North Korean Hackers Target Developers with Malicious npm Packages
Apple and Google wallets want to help make the hotel room key card obsolete
New Cyberattack Targets Chinese-Speaking Businesses with Cobalt Strike Payloads

Leave a Reply

Your email address will not be published. Required fields are marked *