{"id":3400,"date":"2021-10-12T18:29:32","date_gmt":"2021-10-12T12:59:32","guid":{"rendered":"https:\/\/xiarch.com\/blog\/?p=3400"},"modified":"2021-10-12T18:29:33","modified_gmt":"2021-10-12T12:59:33","slug":"openoffice-libreoffice-flaw-permits-attackers-to-spoof-signed-docs","status":"publish","type":"post","link":"https:\/\/xiarch.com\/blog\/openoffice-libreoffice-flaw-permits-attackers-to-spoof-signed-docs\/","title":{"rendered":"OpenOffice, LibreOffice flaw Permits Attackers to Spoof Signed Docs"},"content":{"rendered":"\n
<\/strong>LibreOffice and OpenOffice have launched the updates to address a vulnerability that makes it possible for a threat actor to manipulate documents to come assigned by authenticating sources.<\/p><\/p>\n\n\n\n
Although the severity of the bug is classified as balanced, the implications could be dire. The digital signature used in document macros are meant to help the user verify that document has not been warned and can be trusted.<\/p><\/p>\n\n\n\n
Discovery of the Flaw<\/strong><\/h2>\n\n\n\n
\u201cPermitting anyone to sign macro-ridden documents them, and makes them appear as trustworthy, is an excellent way to trick users into running malicious code.\u201d<\/p><\/p>\n\n\n\n
The discovery of the flaw, which is tracked as CVE-2021-41832 for OpenOffice, was the work of four researchers at the Ruhr University Bochum.<\/p><\/p>\n\n\n\n
A similar bug affects LibreOffice, which is a fork of OpenOffice generated from the main project over a decade ago, and their project is addressed as CVE-2021-25635.<\/p><\/p>\n\n\n\n
What is the Risk to be addressed?<\/strong><\/h2>\n\n\n\n
If you\u2019re using either of the open-source office suites, you\u2019re advised to upgrade to the latest available version immediately. For OpenOffice, that would be 4.1.10 and later, and for LibreOffice, 7.0.5 or 7.1.1 and later.<\/p><\/p>\n\n\n\n
Since neither of these two applications offers auto-updating, you should do it manually by downloading the latest version from the respective download centers – LibreOffice, OpenOffice.<\/p><\/p>\n\n\n\n
If you\u2019re using Linux and the aforementioned versions aren\u2019t available on your distributions package manager yet, you are advised to download the \u201cdeb\u201d, or \u201crpm\u201d package from the Download center or build LibreOffice from the source.<\/p><\/p>\n\n\n\n
If updating to the latest version is not possible for any reason, you can always opt to completely disable the macro features on your office suite, or avoid trusting any documents containing macros. To set macro security on LibreOffice, go to Tools < Options < LibreOffice < Security, and click on \u2018Macro Security.<\/p><\/p>\n\n\n\n
<\/figure><\/div>\n\n\n\n
In the new dialog, you may select among four distinct levels of security, with High or Very High being the recommended options.<\/p><\/p>\n\n\n\n
In case you are still running an old and vulnerable version, you should not rely on the authenticated list functionality as an invalid signature algorithm could still make a fortified document appear as it comes from a trusted source.<\/p><\/p>\n","protected":false},"excerpt":{"rendered":"
LibreOffice and OpenOffice have launched the updates to address a vulnerability that makes it possible for a threat actor to manipulate documents to come assigned by authenticating sources. Although the severity of the bug is classified as balanced, the implications could be dire. The digital signature used in document macros are meant to help the […]<\/p>\n","protected":false},"author":2,"featured_media":3404,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"yoast_head":"\n
OpenOffice, LibreOffice flaw Permits Attackers to Spoof Signed Docs - Xiarch Solutions Private Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/xiarch.com\/blog\/openoffice-libreoffice-flaw-permits-attackers-to-spoof-signed-docs\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"OpenOffice, LibreOffice flaw Permits Attackers to Spoof Signed Docs - Xiarch Solutions Private Limited\" \/>\n<meta property=\"og:description\" content=\" LibreOffice and OpenOffice have launched the updates to address a vulnerability that makes it possible for a threat actor to manipulate documents to come assigned by authenticating sources. Although the severity of the bug is classified as balanced, the implications could be dire. The digital signature used in document macros are meant to help the […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/xiarch.com\/blog\/openoffice-libreoffice-flaw-permits-attackers-to-spoof-signed-docs\/\" \/>\n<meta property=\"og:site_name\" content=\"Xiarch Solutions Private Limited\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/xiarch\/\" \/>\n<meta property=\"article:published_time\" content=\"2021-10-12T12:59:32+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-10-12T12:59:33+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/10\/OpenOffice-LibreOffice-flaw-Permits-Attackers-to-Spoof-Signed-Docs-featured-image-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"525\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Xiarch Security\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@xiarch\" \/>\n<meta name=\"twitter:site\" content=\"@xiarch\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Xiarch Security\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/xiarch.com\/blog\/openoffice-libreoffice-flaw-permits-attackers-to-spoof-signed-docs\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/openoffice-libreoffice-flaw-permits-attackers-to-spoof-signed-docs\/\"},\"author\":{\"name\":\"Xiarch Security\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\"},\"headline\":\"OpenOffice, LibreOffice flaw Permits Attackers to Spoof Signed Docs\",\"datePublished\":\"2021-10-12T12:59:32+00:00\",\"dateModified\":\"2021-10-12T12:59:33+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/xiarch.com\/blog\/openoffice-libreoffice-flaw-permits-attackers-to-spoof-signed-docs\/\"},\"wordCount\":376,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/xiarch.com\/blog\/openoffice-libreoffice-flaw-permits-attackers-to-spoof-signed-docs\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/xiarch.com\/blog\/openoffice-libreoffice-flaw-permits-attackers-to-spoof-signed-docs\/\",\"url\":\"https:\/\/xiarch.com\/blog\/openoffice-libreoffice-flaw-permits-attackers-to-spoof-signed-docs\/\",\"name\":\"OpenOffice, LibreOffice flaw Permits Attackers to Spoof Signed Docs - Xiarch Solutions Private Limited\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#website\"},\"datePublished\":\"2021-10-12T12:59:32+00:00\",\"dateModified\":\"2021-10-12T12:59:33+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/xiarch.com\/blog\/openoffice-libreoffice-flaw-permits-attackers-to-spoof-signed-docs\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/xiarch.com\/blog\/openoffice-libreoffice-flaw-permits-attackers-to-spoof-signed-docs\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/xiarch.com\/blog\/openoffice-libreoffice-flaw-permits-attackers-to-spoof-signed-docs\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/xiarch.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"OpenOffice, LibreOffice flaw Permits Attackers to Spoof Signed Docs\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/xiarch.com\/blog\/#website\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"name\":\"Xiarch Solutions Private Limited\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/xiarch.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\",\"name\":\"Xiarch\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"contentUrl\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"width\":300,\"height\":300,\"caption\":\"Xiarch\"},\"image\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/xiarch\/\",\"https:\/\/twitter.com\/xiarch\",\"https:\/\/www.linkedin.com\/company\/xiarch\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\",\"name\":\"Xiarch Security\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"caption\":\"Xiarch Security\"},\"sameAs\":[\"https:\/\/xiarch.com\/blog\/\"],\"url\":\"https:\/\/xiarch.com\/blog\/author\/vector\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"OpenOffice, LibreOffice flaw Permits Attackers to Spoof Signed Docs - Xiarch Solutions Private Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/xiarch.com\/blog\/openoffice-libreoffice-flaw-permits-attackers-to-spoof-signed-docs\/","og_locale":"en_US","og_type":"article","og_title":"OpenOffice, LibreOffice flaw Permits Attackers to Spoof Signed Docs - Xiarch Solutions Private Limited","og_description":" LibreOffice and OpenOffice have launched the updates to address a vulnerability that makes it possible for a threat actor to manipulate documents to come assigned by authenticating sources. Although the severity of the bug is classified as balanced, the implications could be dire. The digital signature used in document macros are meant to help the […]","og_url":"https:\/\/xiarch.com\/blog\/openoffice-libreoffice-flaw-permits-attackers-to-spoof-signed-docs\/","og_site_name":"Xiarch Solutions Private Limited","article_publisher":"https:\/\/www.facebook.com\/xiarch\/","article_published_time":"2021-10-12T12:59:32+00:00","article_modified_time":"2021-10-12T12:59:33+00:00","og_image":[{"width":1000,"height":525,"url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/10\/OpenOffice-LibreOffice-flaw-Permits-Attackers-to-Spoof-Signed-Docs-featured-image-1.jpg","type":"image\/jpeg"}],"author":"Xiarch Security","twitter_card":"summary_large_image","twitter_creator":"@xiarch","twitter_site":"@xiarch","twitter_misc":{"Written by":"Xiarch Security","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/xiarch.com\/blog\/openoffice-libreoffice-flaw-permits-attackers-to-spoof-signed-docs\/#article","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/openoffice-libreoffice-flaw-permits-attackers-to-spoof-signed-docs\/"},"author":{"name":"Xiarch Security","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c"},"headline":"OpenOffice, LibreOffice flaw Permits Attackers to Spoof Signed Docs","datePublished":"2021-10-12T12:59:32+00:00","dateModified":"2021-10-12T12:59:33+00:00","mainEntityOfPage":{"@id":"https:\/\/xiarch.com\/blog\/openoffice-libreoffice-flaw-permits-attackers-to-spoof-signed-docs\/"},"wordCount":376,"commentCount":0,"publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/xiarch.com\/blog\/openoffice-libreoffice-flaw-permits-attackers-to-spoof-signed-docs\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/xiarch.com\/blog\/openoffice-libreoffice-flaw-permits-attackers-to-spoof-signed-docs\/","url":"https:\/\/xiarch.com\/blog\/openoffice-libreoffice-flaw-permits-attackers-to-spoof-signed-docs\/","name":"OpenOffice, LibreOffice flaw Permits Attackers to Spoof Signed Docs - Xiarch Solutions Private Limited","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/#website"},"datePublished":"2021-10-12T12:59:32+00:00","dateModified":"2021-10-12T12:59:33+00:00","breadcrumb":{"@id":"https:\/\/xiarch.com\/blog\/openoffice-libreoffice-flaw-permits-attackers-to-spoof-signed-docs\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/xiarch.com\/blog\/openoffice-libreoffice-flaw-permits-attackers-to-spoof-signed-docs\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/xiarch.com\/blog\/openoffice-libreoffice-flaw-permits-attackers-to-spoof-signed-docs\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/xiarch.com\/blog\/"},{"@type":"ListItem","position":2,"name":"OpenOffice, LibreOffice flaw Permits Attackers to Spoof Signed Docs"}]},{"@type":"WebSite","@id":"https:\/\/xiarch.com\/blog\/#website","url":"https:\/\/xiarch.com\/blog\/","name":"Xiarch Solutions Private Limited","description":"","publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/xiarch.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/xiarch.com\/blog\/#organization","name":"Xiarch","url":"https:\/\/xiarch.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","contentUrl":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","width":300,"height":300,"caption":"Xiarch"},"image":{"@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/xiarch\/","https:\/\/twitter.com\/xiarch","https:\/\/www.linkedin.com\/company\/xiarch"]},{"@type":"Person","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c","name":"Xiarch Security","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","caption":"Xiarch Security"},"sameAs":["https:\/\/xiarch.com\/blog\/"],"url":"https:\/\/xiarch.com\/blog\/author\/vector\/"}]}},"_links":{"self":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/3400"}],"collection":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/comments?post=3400"}],"version-history":[{"count":1,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/3400\/revisions"}],"predecessor-version":[{"id":3406,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/3400\/revisions\/3406"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media\/3404"}],"wp:attachment":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media?parent=3400"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/categories?post=3400"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/tags?post=3400"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"OpenOffice-LibreOffice-flaw-Permits-Attackers-to-Spoof-Signed-Docs-image1\"](\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/10\/OpenOffice-LibreOffice-flaw-Permits-Attackers-to-Spoof-Signed-Docs-image1-1-1024x465.jpg\")
<\/figure><\/div>\n\n\n\n