CVE-2015-4551: TARGETED DATA DISCLOSURE
Fixed in Apache OpenOffice 4.1.2
Announced November 4, 2015
A vulnerability in OpenOffice settings of OpenDocument Format files and templates allows silent access to files that are readable from an user account, over-riding the user's default configuration settings. Once these files are imported into a maliciously-crafted document, the data can be silently hidden in the document and possibly exported to an external party without being observed.
There are no known exploits of this vulnerabilty.
A proof-of-concept demonstration exists.
Vendor: The Apache Software Foundation
All Apache OpenOffice versions 4.1.1 and older are affected.
OpenOffice.org versions are also affected.
Apache OpenOffice users are urged to download and install Apache OpenOffice version 4.1.2 or later.
Apache OpenOffice 4.1.2 mitigates this vulnerability by ignoring in-document settings that over-ride default behavior when accessing data beyond the document itself. The automatic default behavior is changed to make such access evident to the user, who must then approve the access.
Nature of Attack
This vulnerability requires an exquisitely crafted attack to locate targeted files, silently retrieve them, and then deliver their data in a manner that escapes notice. Knowledge of the user's system and specific configuration is generally required.
In addition to keeping Apache OpenOffice updated, users can reduce the threat of this kind of data access from ODF documents. Keep documents and sensitive materials separate from common, predictable locations, including on networks. Require additional access permissions for access to sensitive materials even when operating under the user's normal account.
The latest information on Apache OpenOffice security bulletins can be found at the Bulletin Archive page.
The Apache OpenOffice security team thanks Federico "fox" Scrinzi for reporting the defect and Stephan Bergmann of Red Hat for analysis and a repair solution.