Re: [libreoffice-users] Is version 4.1.6.2 insecure?

Cley Faye <cleyfaye -AT- gmail.com>
Sat, 12 Jul 2014 21:56:05 +0200

It might be related to this:
https://www.libreoffice.org/about-us/security/advisories/cve-2014-0247/

In this regard, it might be insecure because a macro can get executed even
if the user settings should prevent it to happen.

Regarding the "insecure" aspect, well... macro are a programming language,
and as such can do nasty things by themselves, or expose other
vulnerabilities (that's why their use is usually discouraged). If you only
open documents from "safe, known and reliable sources" the impact should be
minimal, but it's better to be on the side safe of things by updating.

-- 
Cley Faye
http://cleyfaye.net


2014-07-12 19:38 GMT+02:00 Jay Lozier <jslozier@gmail.com>:


On 07/12/2014 05:55 AM, . wrote:

To whom it may concern:

LibreOffice 4.1.6.2 is detected as insecure by Secunia PSI. Advisory
SA57383 (Macro Vulnerability). Would you be so kind as to let me know why
this stable version is insecure, but the fresh version 4.2.5 is secure?
Thank you for your timely effort.

 Can you supply more details. Secunia has a paywall.


Macros are a well know security hole in all office suites. They
potentially allow arbitrary code to be run on an end users computer when
the file is opened. For older MS office suites, the default was to run all
macros when the file is opened. Recent (after 2005 or so) the default
behavior was changed to only allow "trusted" macros the privilege of being
allowed to run.  I do not know how common this was with other office
programs/suites of the same vintage.

I believe LO has always used the model of the "trusted macro only" being
granted privileges by default.

Under TOOLS>OPTIONS>LibreOffice/Security click on "Macro Security". Set
the security level to high or very high. This will restrict macros from
running unless they trusted. This setting works for any macros.

--
Jay Lozier
jslozier@gmail.com



--
To unsubscribe e-mail to: users+unsubscribe@global.libreoffice.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-
unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be
deleted


-- 
To unsubscribe e-mail to: users+unsubscribe@global.libreoffice.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted

Context

[libreoffice-users] Is version 4.1.6.2 insecure? · .
- Re: [libreoffice-users] Is version 4.1.6.2 insecure? · Tom Davies
- Re: [libreoffice-users] Is version 4.1.6.2 insecure? · Jay Lozier
  - Re: [libreoffice-users] Is version 4.1.6.2 insecure? · Cley Faye
  - Re: [libreoffice-users] Is version 4.1.6.2 insecure? · Italo Vignoli

Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.