[Solved] CVE-2015-1774: OpenOffice HWP Filter Remote...

[466385@tiscali.co.uk]

Hi all,

I've just pulled an email with the above title out of my spam folder. Is it genuine? Here's what it says:

Ian

CVE-2015-1774

OpenOffice HWP Filter Remote Code Execution and Denial of Service
Vulnerability

A vulnerability in OpenOffice's HWP filter allows attackers to cause a
denial of service (memory corruption and application crash) or possibly
execution of arbitrary code by preparing specially crafted documents in
the HWP document format.

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:

All Apache OpenOffice versions 4.1.1 and older are affected.

Mitigation:

Apache OpenOffice users are advised to remove the problematic library in
the "program" folder of their OpenOffice installation. On Windows it is
named "hwp.dll", on Mac it is named "libhwp.dylib" and on Linux it is
named "libhwp.so". Alternatively the library can be renamed to anything
else e.g. "hwp_renamed.dll".
This mitigation will drop AOO's support for documents created in "Hangul
Word Processor" versions from 1997 or older. Users of such documents are
advised to convert their documents to other document formats such as
OpenDocument before doing so.

Apache OpenOffice aims to fix the vulnerability in version 4.1.2.

Credits:

Thanks to an anonymous contributor working with VeriSign iDefense Labs.

[RoryOF]

This posting was sent to several of the Apache OpenOffice mailing lists signed by a known contributor to those lists. I have no reason to doubt its validity, but several list members have asked for confirmation.

[466385@tiscali.co.uk]

Sorry Rory. I may be becoming over-sensitive to word usage, thanks to the ongoing election, but that looks like a politician's answer! Surely somebody from Apache could/should grant official approval?

Ian

[RoryOF]

I can only tell you what I know. The original poster to the Apache lists is a known contributor - I'm not sure of his status (haven't time to check - fixing dishwasher!), but this vulnerability number shows up on
https://security-tracker.debian.org/tra ... -2015-1774
and elsewhere.

List members on some of the Apache OpenOffice mailing lists have asked for confirmation that the messages were not an email hijack: on my inspection they do not appear to be so.

Edit: Dishwasher sounds happy! Blocked input filters (at both ends of water input pipe)

Edit: Edit2: As for a "politician's answer", remember George Meredith's line in "Modern Love": "Ah, what a dusty answer gets the soul When hot for certainties in this our life!"

[466385@tiscali.co.uk]

Thanks, Rory, and I'm glad the dishwasher's OK. I'll leave it a few days and see if any more positive proof turns up.

Yours,

Doubting Thomas

[pescetti]

I confirm the message is genuine.

See http://www.openoffice.org/security/bulletin.html for more.

The vulnerability is expected to be fixed in our next release (OpenOffice 4.1.2), but you can apply the workaround described in the issue already now.

It is very unlikely that you need support for "Hangul Word Processor" versions from 1997 or older (and if you do, for sure you know it), so deleting or renaming the problematic library will not affect your ordinary usage of OpenOffice.
--
Andrea Pescetti - Apache OpenOffice PMC and security team member.

[466385@tiscali.co.uk]

Thank you. Sorry to be so neurotic, but I've just spent 6 days in the care of a malware clean up expert.

Ian

[floris v]

One great way to get involved with malware is to publish your e-mail address.

[466385@tiscali.co.uk]

Thanks, floris. BTW, I noted the green ink print below your post and tried to edit the title of the first post but couldn't. I added a green tick instead.

Ian

[floris v]

Thank you for editing it, anyway. The title is too long, that's why you can't add text.