LibreOffice handlers defend suite's security after 'unfortunately partial' patch
When is a macro not a macro? When it comes with the product, apparently
Interview The Document Foundation, custodian of LibreOffice, has defended the suite's security after attempts to patch a code execution flaw turned out to be "partial".
"So far in the story of LibreOffice we have been able to patch all security issues before they reached the end user," a spokesperson told The Reg. "For this last one we have a patch for version 6.2.5 which is unfortunately partial because there are other ways to trigger the vulnerability. This is going to be patched in version 6.3, which is out next week, and in 6.2.6."
Fix LibreOffice now to thwart silent macro viruses – and here's how to pwn those who haven'tREAD MORE
The issue relates to the LibreLogo feature, which converts simple graphics-drawing instructions in the document into Python to run. By hooking up the LibreLogo Run command to document events, arbitrary Python code can be made to execute automatically. This code can then run system commands to take over the computer.
According to this advisory last month, CVE-2019-9848 was disclosed to the LibreOffice team on 4 June, was believed to be fixed with the release of version 6.2.5 on 1 July, and was disclosed to the public on 26 July. A few days later, though, users noticed that the flaw was still present.
We asked the foundation why version 6.1.6, known to be vulnerable, remained prominent on the download page, and in fact recommended for business users. "We maintain two versions and for enterprise deployments we suggest the older one because it is more tested," we were told.
Shortly after our interview, the foundation said that version 6.1.6 had been removed from its prominent position – though it is of limited comfort as 6.2.5 is little better as it is still vulnerable.
Another issue is why LibreOffice built-in macros still execute without prompting even when macro security is set to the highest level. "The problem in this case is not a macro, it's a program that triggers Python," we were told. "The LibreOffice default setting will not run any kind of macro. The next patch will cover all the potential ways of triggering LibreLogo, but we are also evaluating transforming LibreLogo into an extension, to be more secure."
Despite this claim, the LibreLogo Run command certainly looks like a macro. It is in the LibreOffice library, where it is listed under "LibreOffice Macros". That said, these are not user macros. "These run because they are part of the LibreOffice installation. They have been there for years and they have not given issues." Many of them, we were told, "have been there since OpenOffice times" – referring to the fact that LibreOffice was a fork from what is now Apache OpenOffice.
Unfortunately, the age of the code is no proof of its security. It also seems questionable that these macros bypass security settings, though we were also told that they "were double-checked at the time of CVE-2018-16858, where it was known that built-in scripts could be called silently from document event handlers". This earlier vulnerability was reported in November 2018.
The foundation maintains that it has high security standards. "Although we are an open-source project we have well over 100 million users, probably close to 200 million users. We have a group of specialists that handle security, exactly as this is done for a company like Microsoft. We have people working in companies like Red Hat that take care of LibreOffice security. We use a number of tools, like Coverity Scan, as one of the sources of information of potential vulnerabilities. We also work with security labs that do penetration tests. If you look at a database of vulnerabilities you will see that the number which affect LibreOffice is rather limited.
"ODM (OpenDocument) files are far more secure than Microsoft Office files, because they are cleaner, easier to understand, and more consistent."
What happens now? In a couple of weeks, all going well, both current versions will be replaced with fixed releases. In the meantime, the advice is to disable LibreLogo: switch it off immediately if it's bundled with your LibreOffice build.
"The suggestion to users is always to be very careful about what they open," the foundation added. This is true, of course, but malicious emails can look convincing, and inevitably not all users will follow best practice.
The episode has cast a cloud over news that the UK government has joined The Document Foundation's advisory board. "We believe that open standards are important in meeting the needs that users have of Government and that ODF plays a big role in helping to deliver this," said John Strudwick, interim director for Service Design and Assurance at the Government Digital Service. If that enthusiasm extends to running LibreOffice in government offices, we hope they took care to disable LibreLogo. ®