You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@openoffice.apache.org by "Dennis E. Hamilton" <de...@acm.org> on 2012/03/23 05:46:07 UTC
Implications for security vulnerability (CVE-2012-0037)
Here is my personal assessment around the CVE-2012-003 that was announced concurrent with a patch release for OpenOffice 3.3.0 today.
First, the vulnerability is related to use of ODF 1.2 document format in a manner that causes information from the user's computer to be covertly accessed and captured inside the document when it is saved. (If it is not saved, there is no harm. If it is saved as ODF 1.0/1.1, there might also be no harm, although this case requires some testing to confirm.)
As was reported, it is relatively easy to craft an ODF 1.2 document that can exercise the exploit when opened by a vulnerable application.
THE EXTENT OF THE VULNERABILITY
LibreOffice reported CVE-2012-0037 today concurrent with the agreed lifting of the embargo.
My understanding is that later (since January) LO 3.4.x releases have the fix as do the LO 3.5.x releases and release candidates. Consult the LibreOffice.org site and blog for details.
All LibreOffice releases preceding those identified as repaired remain vulnerable.
The patched versions of OO.o 3.3.0 and Oracle OO.o-dev 3.4, are free of the vulnerability. The latest (since March 1) Apache OpenOffice developer previews are free of the vulnerability.
All previous OpenOffice.org releases back to OO.o 3.0 presumably have the vulnerability (since that was the start of claimed ODF 1.2 support). Any unpatched recent versions will continue to have the vulnerability until patched or replaced, of course.
OTHER RELEASES/PRODUCTS THAT DO NOT HAVE THE VULNERABILITY
Pre-3.0 versions of OO.o should not have the vulnerability.
Lotus Symphony has never had the vulnerability.
Microsoft Office 2007/2010 ODF support does not have the vulnerability. Microsoft Office converters from ODF to Office (as used with Office 2003, for example) do not have the vulnerability.
I suspect that documents containing the exploit can't pass through Google Docs, but I haven't tested it. I doubt that they are vulnerable though.
Some other supporters of ODF format have indicated that their products do not support the feature of ODF 1.2 format that is the carrier of the exploit. The suppliers of such products should be consulted directly for confirmation.
DOCUMENTS NOT HAVING THE EXPLOIT
Documents saved as ODF 1.0/1.1 should not preserve any exploit. That is a way to scrub suspicious documents and templates so long as any loss of fidelity is tolerable when going down-level and back.
Documents saved as .doc, .rtf, .docx, .xls, .xlsx, .ppt, .pptx, etc., and then brought back from those formats should not contain any exploit. This only works if any loss of fidelity is tolerable of course. Note that it is not necessary to have Microsoft Office. Using the converters that are part of OpenOffice.org, Apache OpenOffice, and LibreOffice is sufficient.
Saved HMTL documents will, likewise, be stripped of any exploit. Saved PDF documents will also be exploit-free so long as the form of PDF that preserves the original ODF document as an "attachment" is not used.
WHO IS VULNERABLE AND WHAT TO DO IF YOU THINK YOU ARE
The exploit requires that you open and use a document or template from an unreliable or unknown source (or that someone you do trust has managed to do this and sent the result to you). The captured material is no use if the resulting saved document is not returned to someone who knows to look for it. In some forms of the exploit, once information is captured, there are no further captures. However, the captured content can be passed on through subsequent revisions and recipients. That is, there may be perpetuation of covertly-captured residue.
Fortunately, the exploit involves a feature that is not required for the correct processing of most ODF documents (which is also why success of the exploit is easily unnoticed). So extinguishing the feature from a document, while heavy handed, rarely does any harm.
If you have any doubt concerning ODF documents in your possession, you can exercise some of the remedies in the previous section, involving saving the document in different formats and then re-opening it form those formats.
If you are unable to patch your system or want to ensure that documents you already have do not carry any exploit, you can also clean up the ODF package using a Zip utility. It is also possible to produce a utility that can automatically scrub most ODF packages of any potentially-suspect content.
- Dennis
---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org
Re: Implications for security vulnerability (CVE-2012-0037)
Posted by drew <dr...@baseanswers.com>.
On Fri, 2012-03-23 at 12:53 -0700, John Boyle wrote:
> On 3/23/2012 12:43 PM, Dennis E. Hamilton wrote:
> > For patches to OO.o 3.3.0 on Windows and Mac OS, go here:<http://www.openoffice.org/security/cves/CVE-2012-0037.html>.
> >
> > If you are running OO.o 3.3.0 on Linux, there is no separate patch at this time. Some folks are working on that.
> >
> > - Dennis
> >
> > -----Original Message-----
> > From: John Boyle [mailto:jboyle@harbornet.com]
> > Sent: Friday, March 23, 2012 11:10
> > To: ooo-users@incubator.apache.org
> > Subject: Re: Implications for security vulnerability (CVE-2012-0037)
> >
> > On 3/22/2012 9:46 PM, Dennis E. Hamilton wrote:
> > [ ... ]
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
> >> For additional commands, e-mail: ooo-users-help@incubator.apache.org
> >>
> >>
> > To Users: Where does one get the patch? I mean just in case?:-)
> >
> > [ ... ]
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
> > For additional commands, e-mail: ooo-users-help@incubator.apache.org
> >
> >
> to Dennis Hamilton and users: I went to the site listed and it says I do
> not have permission to get the information for the patch! So now what do
> I do?:-)
Hi John,
So, you tried to download the file and hit a snag - Was it the Windows
or Mac download - and specifically which mirror.
Earlier in the day one of the mirror sites was experiencing difficulty,
throwing a Forbidden Access 404 error, the link to that site was removed
from the directory page..still, if you can show which mirror link you
received the error from it would help - otherwise any of the other
mirrors should work without problems.
Let me know and I'll help get the file to you.
//drew
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
> For additional commands, e-mail: ooo-users-help@incubator.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org
Re: Implications for security vulnerability (CVE-2012-0037)
Posted by John Boyle <jb...@harbornet.com>.
On 3/23/2012 12:43 PM, Dennis E. Hamilton wrote:
> For patches to OO.o 3.3.0 on Windows and Mac OS, go here:<http://www.openoffice.org/security/cves/CVE-2012-0037.html>.
>
> If you are running OO.o 3.3.0 on Linux, there is no separate patch at this time. Some folks are working on that.
>
> - Dennis
>
> -----Original Message-----
> From: John Boyle [mailto:jboyle@harbornet.com]
> Sent: Friday, March 23, 2012 11:10
> To: ooo-users@incubator.apache.org
> Subject: Re: Implications for security vulnerability (CVE-2012-0037)
>
> On 3/22/2012 9:46 PM, Dennis E. Hamilton wrote:
> [ ... ]
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: ooo-users-help@incubator.apache.org
>>
>>
> To Users: Where does one get the patch? I mean just in case?:-)
>
> [ ... ]
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
> For additional commands, e-mail: ooo-users-help@incubator.apache.org
>
>
to Dennis Hamilton and users: I went to the site listed and it says I do
not have permission to get the information for the patch! So now what do
I do?:-)
---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org
RE: Implications for security vulnerability (CVE-2012-0037)
Posted by "Dennis E. Hamilton" <de...@acm.org>.
For patches to OO.o 3.3.0 on Windows and Mac OS, go here: <http://www.openoffice.org/security/cves/CVE-2012-0037.html>.
If you are running OO.o 3.3.0 on Linux, there is no separate patch at this time. Some folks are working on that.
- Dennis
-----Original Message-----
From: John Boyle [mailto:jboyle@harbornet.com]
Sent: Friday, March 23, 2012 11:10
To: ooo-users@incubator.apache.org
Subject: Re: Implications for security vulnerability (CVE-2012-0037)
On 3/22/2012 9:46 PM, Dennis E. Hamilton wrote:
[ ... ]
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
> For additional commands, e-mail: ooo-users-help@incubator.apache.org
>
>
To Users: Where does one get the patch? I mean just in case?:-)
[ ... ]
---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org
Re: Implications for security vulnerability (CVE-2012-0037)
Posted by John Boyle <jb...@harbornet.com>.
On 3/22/2012 9:46 PM, Dennis E. Hamilton wrote:
> Here is my personal assessment around the CVE-2012-003 that was announced concurrent with a patch release for OpenOffice 3.3.0 today.
>
> First, the vulnerability is related to use of ODF 1.2 document format in a manner that causes information from the user's computer to be covertly accessed and captured inside the document when it is saved. (If it is not saved, there is no harm. If it is saved as ODF 1.0/1.1, there might also be no harm, although this case requires some testing to confirm.)
>
> As was reported, it is relatively easy to craft an ODF 1.2 document that can exercise the exploit when opened by a vulnerable application.
>
> THE EXTENT OF THE VULNERABILITY
>
> LibreOffice reported CVE-2012-0037 today concurrent with the agreed lifting of the embargo.
>
> My understanding is that later (since January) LO 3.4.x releases have the fix as do the LO 3.5.x releases and release candidates. Consult the LibreOffice.org site and blog for details.
>
> All LibreOffice releases preceding those identified as repaired remain vulnerable.
>
> The patched versions of OO.o 3.3.0 and Oracle OO.o-dev 3.4, are free of the vulnerability. The latest (since March 1) Apache OpenOffice developer previews are free of the vulnerability.
>
> All previous OpenOffice.org releases back to OO.o 3.0 presumably have the vulnerability (since that was the start of claimed ODF 1.2 support). Any unpatched recent versions will continue to have the vulnerability until patched or replaced, of course.
>
> OTHER RELEASES/PRODUCTS THAT DO NOT HAVE THE VULNERABILITY
>
> Pre-3.0 versions of OO.o should not have the vulnerability.
>
> Lotus Symphony has never had the vulnerability.
>
> Microsoft Office 2007/2010 ODF support does not have the vulnerability. Microsoft Office converters from ODF to Office (as used with Office 2003, for example) do not have the vulnerability.
>
> I suspect that documents containing the exploit can't pass through Google Docs, but I haven't tested it. I doubt that they are vulnerable though.
>
> Some other supporters of ODF format have indicated that their products do not support the feature of ODF 1.2 format that is the carrier of the exploit. The suppliers of such products should be consulted directly for confirmation.
>
> DOCUMENTS NOT HAVING THE EXPLOIT
>
> Documents saved as ODF 1.0/1.1 should not preserve any exploit. That is a way to scrub suspicious documents and templates so long as any loss of fidelity is tolerable when going down-level and back.
>
> Documents saved as .doc, .rtf, .docx, .xls, .xlsx, .ppt, .pptx, etc., and then brought back from those formats should not contain any exploit. This only works if any loss of fidelity is tolerable of course. Note that it is not necessary to have Microsoft Office. Using the converters that are part of OpenOffice.org, Apache OpenOffice, and LibreOffice is sufficient.
>
> Saved HMTL documents will, likewise, be stripped of any exploit. Saved PDF documents will also be exploit-free so long as the form of PDF that preserves the original ODF document as an "attachment" is not used.
>
> WHO IS VULNERABLE AND WHAT TO DO IF YOU THINK YOU ARE
>
> The exploit requires that you open and use a document or template from an unreliable or unknown source (or that someone you do trust has managed to do this and sent the result to you). The captured material is no use if the resulting saved document is not returned to someone who knows to look for it. In some forms of the exploit, once information is captured, there are no further captures. However, the captured content can be passed on through subsequent revisions and recipients. That is, there may be perpetuation of covertly-captured residue.
>
> Fortunately, the exploit involves a feature that is not required for the correct processing of most ODF documents (which is also why success of the exploit is easily unnoticed). So extinguishing the feature from a document, while heavy handed, rarely does any harm.
>
> If you have any doubt concerning ODF documents in your possession, you can exercise some of the remedies in the previous section, involving saving the document in different formats and then re-opening it form those formats.
>
> If you are unable to patch your system or want to ensure that documents you already have do not carry any exploit, you can also clean up the ODF package using a Zip utility. It is also possible to produce a utility that can automatically scrub most ODF packages of any potentially-suspect content.
>
> - Dennis
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
> For additional commands, e-mail: ooo-users-help@incubator.apache.org
>
>
To Users: Where does one get the patch? I mean just in case?:-)
---------------------------------------------------------------------
To unsubscribe, e-mail: ooo-users-unsubscribe@incubator.apache.org
For additional commands, e-mail: ooo-users-help@incubator.apache.org