Cybersecurity (opens in new tab) researchers have discovered a remote code execution (RCE) vulnerability in Apache OpenOffice (AOO) (opens in new tab), which can be abused through a malicious file to execute malware (opens in new tab) on the machine.
The vulnerability tracked as CVE-2021-33035 was highlighted by Eugene Lim at HackerOne's Hacktivity online conference, who has just started foraying into vulnerability research.
AOO isn’t as widely used as its other open source (opens in new tab) fork, LibreOffice (opens in new tab), and had its last official release back in May. Still, the office suite has clocked hundreds of millions of downloads, leaving virtually all users vulnerable.
- Here’s our roundup of the best laptops for programming (opens in new tab)
- Check our list of these best Python courses (opens in new tab)
- Start your web development journey with these best HTML courses (opens in new tab)
Interestingly, while the app's source code has been patched, The Register reports that the fix has only been made available as beta software.
"We endeavor to roll the release for Apache OpenOffice 4.1.11 within the month, hopefully sooner, and publish the CVE-2021-33035 before the release," said Dave Fisher, on behalf of the AOO Project Management Committee (PMC), in a statement to The Register.
Instead of focussing on a particular software, Lim was advised to direct his attention on file formats. A quick search led him to the dBase database file (DBF) format, which was created over four decades ago, but is still used as a data storage mechanism by modern apps such as Microsoft Office, LibreOffice, and AOO.
In a technical blog (opens in new tab) sharing details about the vulnerability, Lim explains how he was able to find the RCE bug in DBF without too much effort.
“This begged the question: why did no one discover this bug earlier? As an open-source program, OpenOffice would undoubtedly have been automatically scanned by various static code analysers, which would have easily picked up the unsafe memcpy,” writes Lim.
“This demonstrates the importance of sanity-checking automated static analysis tools; if your tools don’t know the code exists, it can’t find those vulnerabilities,” explains Lim.
Via The Register (opens in new tab)