LibreOffice improves macro security
The LibreOffice development team is improving macro security. Macros with incorrect signatures can no longer be executed.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
The LibreOffice developers have updated their software to close a security vulnerability that allowed signed macros to be executed despite a failed check. This is now no longer possible in the default settings.
The LibreOffice programmers explain in a security notice that documents from document creators can contain signed macros. If such a macro is included, LibreOffice warns against its execution. If the signature check fails, LibreOffice displays this error in the warning and allows users to execute the macro anyway and ignore the warning. This was easy to misunderstand (CVE-2024-6472, CVSS 7.8, risk "high").
LibreOffice: More secure macro handling
In the "high macro security" setting, which is active by default, LibreOffice now automatically disables macros that fail the certificate check. This prevents users from accidentally executing macros whose signatures are invalid.
The vulnerability was reported to the project by OpenSource Security GmbH on behalf of the German Federal Office for Information Security (BSI). LibreOffice 24.2.5 closes the security gap and works according to the new procedure described. It is available for download on the LibreOffice download page for various platforms: As a 64-bit Debian and RPM package for Linux on x86 processor architectures, for macOS (Apple Silicon and Intel) as well as 32- and 64-bit Windows.
The programmers last closed a security vulnerability in LibreOffice in May. It was considered highly risky and could lead to prepared documents being infiltrated and executed by malicious code after just one click by users.
(dmk)