Malicious documents can hijack Apache OpenOffice

Apache OpenOffice says a fully patched release is coming soon

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurityresearchers have discovered a remote code execution (RCE) vulnerability inApache OpenOffice (AOO), which can be abused through a malicious file to executemalwareon the machine.

The vulnerability tracked as CVE-2021-33035 was highlighted by Eugene Lim at HackerOne’s Hacktivity online conference, who has just started foraying into vulnerability research.

AOO isn’t as widely used as its otheropen sourcefork,LibreOffice, and had its last official release back in May. Still, the office suite has clocked hundreds of millions of downloads, leaving virtually all users vulnerable.

Interestingly, while the app’s source code has been patched,The Registerreports that the fix has only been made available as beta software.

“We endeavor to roll the release for Apache OpenOffice 4.1.11 within the month, hopefully sooner, and publish the CVE-2021-33035 before the release,” said Dave Fisher, on behalf of the AOO Project Management Committee (PMC), in a statement toThe Register.

Escaping scrutiny

Escaping scrutiny

Instead of focussing on a particular software, Lim was advised to direct his attention on file formats. A quick search led him to the dBase database file (DBF) format, which was created over four decades ago, but is still used as a data storage mechanism by modern apps such asMicrosoftOffice, LibreOffice, and AOO.

In atechnical blogsharing details about the vulnerability, Lim explains how he was able to find the RCE bug in DBF without too much effort.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“This begged the question: why did no one discover this bug earlier? As an open-source program, OpenOffice would undoubtedly have been automatically scanned by various static code analysers, which would have easily picked up the unsafe memcpy,” writes Lim.

A little research led him to the code analysis platform that runs tests on open source projects, which has tagged AOO as aPythonandJavaScriptproject, and not as a C++, leading to the scanner missing the vulnerability.

“This demonstrates the importance of sanity-checking automated static analysis tools; if your tools don’t know the code exists, it can’t find those vulnerabilities,” explains Lim.

ViaThe Register

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

How to turn off Meta AI