This vulnerability is about a side-loading exploit that will cause a malicious DLL be used instead of a standard one. That there is an avenue to a side-loading vulnerability by placing certain documents in the same place as the DLL is an additional door being closed. Any Windows program with an Open ... dialog could be subject to this attack if the search for DLLs is not restricted.
I have no insight on how LibreOffice does DLL searches and whether it had to be repaired since this became a concern one year ago. You'd have to check the CVE lists for whether anything like that had to be fixed in LibreOffice, and when. It might have already been fixed in OpenOffice.org before the fork to LibreOffice. - Dennis (I had to deal with this too, but it is basically a "won't fix" in my case: <http://odma.info/support/2010/08/X100801.htm>.) -----Original Message----- From: Tom Davies [mailto:tomdavie...@yahoo.co.uk] Sent: Wednesday, September 14, 2011 13:42 To: users@global.libreoffice.org Subject: [libreoffice-users] .Doc security risk in MS Office (and .Rtf) Hi :) LibreOffice is probably unaffected by this issue as it seems to take advantage of vulnerabilities in MS Office. Apparently a slightly modified version of the exploit they suffered from last year can cause them problems again but there is a security patch for it in the normal MS Office updates and this time it is promised that it will really work, unlike the one from last year which they also promised would fix it. Quite why you would have DLL files in the same folder as a word-processor document or spreadsheet is a bit beyond me. I am a bit disorganised at times but i don't think i ever managed it and it's not the default! (unless you count the desktop or downloads folder where almost anything could be dumped). The ZdNet article about this gave some good links http://www.zdnet.com/blog/security/ms-patch-tuesday-warning-opening-legitimate-doc-txt-files-brings-code-execution-risk/9399?tag=nl.e550 Such as this one http://technet.microsoft.com/en-us/security/bulletin/ms11-072 Someone recently was saying the MS wanted to discourage or even stop the use of .doc to push people into using their newer formats which only really work well on their newer products. All very interesting timing or am i paranoid (or both)? Anyway, it's one more good reason (or 5 according to that last link) for using LibreOffice. Regards from Tom :) -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted -- For unsubscribe instructions e-mail to: users+h...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/users/ All messages sent to this list will be publicly archived and cannot be deleted
