The team powering LibreOffice has introduced security updates to take care of three security flaws in the productivity application, 1 of which could be exploited to realize arbitrary code execution on affected systems.
Tracked as CVE-2022-26305, the issue has been explained as a case of improper certificate validation when checking irrespective of whether a macro is signed by a dependable writer, major to the execution of rogue code packaged within just the macros.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
“An adversary could consequently make an arbitrary certificate with a serial number and an issuer string similar to a trustworthy certificate which LibreOffice would existing as belonging to the trustworthy writer, potentially top to the consumer to execute arbitrary code contained in macros improperly reliable,” LibreOffice stated in an advisory.
Also fixed is the use of a static initialization vector (IV) in the course of encryption (CVE-2022-26306) that could have weakened the security ought to a bad actor have access to the user’s configuration facts.
Lastly, the updates also take care of CVE-2022-26307, wherein the master important was improperly encoded, rendering the stored passwords susceptible to a brute-pressure attack if an adversary is in possession of the user configuration.
The three vulnerabilities, which have been described by OpenSource Security GmbH on behalf of the German Federal Business for Information Security, have been addressed in LibreOffice variations 7.2.7, 7.3.2, and 7.3.3.
The patches occur five months following the Document Foundation mounted another inappropriate certification validation bug (CVE-2021-25636) in February 2022. Previous October, three spoofing flaws have been patched that could be abused to alter paperwork to make them show up as if they are digitally signed by a dependable source.
Observed this posting attention-grabbing? Follow THN on Fb, Twitter and LinkedIn to browse extra special content material we put up.
Some areas of this post are sourced from:
thehackernews.com