Re: CVE-2012-0037 (was RE: [libreoffice-users] CVE-2012-0337)

By the way, it is CVE-2012-0037, not -0337.  Sorry I didn't detect the original subject-line gaff 
sooner.

Note that the official CVE reports are seriously unenlightening: 
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0037>.

The LibreOffice advisory is likely to simply scare the pants off of users since it is very 
circumspect and provides no information about how this matters to users and what they can do to 
avoid it (apart from upgrading): https://www.libreoffice.org/advisories/CVE-2012-0037/ 

The Apache OpenOffice advisory is closer to what I consider the benchmark (advisory e-mails from 
Microsoft) in this area.  It does not presume remote code execution (at least, not in OO.o), and it 
describes mitigation more clearly: <https://www.libreoffice.org/advisories/CVE-2012-0037/>.  This 
can be done better.  I'd say not bad for a first effort though.

With regard to the lack of an OO.o 3.3.0 Linux patch from the Apache OpenOffice project, that was a 
mistake based on an incorrect assumption about how few people have installed OO.o from other than 
their Linux distributions.  There is an effort to address that underway now.  See this thread: 
<http://mail-archives.apache.org/mod_mbox/incubator-ooo-dev/201203.mbox/thread?6>.


 - Dennis

PS: Your conclusion that the exploit is unlikely is unsupportable.  

Whether an exploit actually manages to capture anything useful or embarrassing is another matter.  
It is also conceivable that a failed exploit may crash the application or at least result in 
mystery failures to open the document.

On the other hand, it is a bit like spam and phishing.  Since those are so easy to do, and 
inexpensive to distribute, the mischievous folks are willing to have a miniscule return rate, so 
long as there are any [;<).  (The easiest way to seed a wide distribution is by 
contributing/distributing a template file with the template built in.  Still a move-plot, but users 
need a way to satisfy themselves that there is no exploit.  There are so many faux download sites 
that it is a bit like walking down a road where all the street lights have been shot out.

This reminds me how the Iranian nuclear-material centrifuges were hacked by sending a trojan into 
the wild that apparently went global but was designed to fire with effect when it found itself on 
the correct computers.

Apparently it is the ease of crafting exploits that has the Apache OpenOffice.org categorize this 
as "Important" (but not "Critical").



-----Original Message-----
From: Tom Davies [mailto:tomdavies04@yahoo.co.uk] 
Sent: Friday, March 23, 2012 11:36
To: users@global.libreoffice.org
Subject: RE: [libreoffice-users] CVE-2012-0337

Hi :)
I think it would be good to post it here too.  

It's unusual for LibreOffice to suffer anything like it.  In almost any other program it wouldn't 
have even been reported as it's so trivial.  Just another patch for just another unlikely exploit.  
You basically have to be passing the document backwards and forwards   without changing formats 
with someone you think of as reasonably friendly but who is actually fairly evil and who has a 
fairly unusually high skill level and knowledge-base.  I think the "not changing formats" part of 
that is fairly unlikely at the moment.  Their skill level is an issue too.  Perhaps most people on 
this list could do it fairly easily but the average skill level here is far higher than the vast 
majority of office workers.  

With LO or other OpenSource programs such things are rare enough that they become big News stories. 
 
Regards from
Tom :)


[ ... ]


-- 
For unsubscribe instructions e-mail to: users+help@global.libreoffice.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted