LibreOffice fixes virus-friendly Word import flaw
Free and clear
LibreOffice users ought to update their software: a security hole has been discovered in the code used to import Microsoft Word documents into the open-source productivity suite. The latest version of the software contains a fix for the problem.
A memory corruption-related vulnerability in the import code creates a possible mechanism for virus writers to inject hostile code into vulnerable systems, developers at The Document Foundation warn. The bug was discovered by RedHat security researcher Huzaifa Sidhpurwala and fixed with version 3.4.3 of the package.
LibreOffice 3.4.3 also addresses lesser security problems involving loading Windows Metafile (.wmf) and Windows Enhanced Metafile (.emf) images into documents.
An advisory from LibreOffice on the vulnerability can be found here. ®
Vulnerabilities, huh? I've seen they've taken Microsoft Word compatibility one step too far.
Shame that in order to update you have to download the full 150MB thing and re-install.
Hopefully LibreOffice will one day implement an auto-update system which doesn't require manually downloading and re-installing. And instead just updates the changed components.
Doesn't sound hugely serious
Unless you worked for a company which was known to use LibreOffice, the chances of receiving a tainted .doc file with the express intent you open it up in another produce seems pretty low.
It would be nice if LibreOffice did implement a patch based update system. Such things exist. There should be no reason to have to have to download a 150Mb product and go through a full reinstall just to fix a handful of files.