Just in time for...
Mega-super-giant Patch Tuesday.
Or...
maybe not. We shall have to wait and see how long it takes for MS to close this huge hole.
Infosec researchers have idenitied a zero-day code execution vulnerability in Microsoft's ubiquitous Office software. Dubbed "Follina", the vulnerability has been floating around for a while (cybersecurity researcher Kevin Beaumont traced it back to a report made to Microsoft on April 12) and uses Office functionality to …
vi: modeline vulnerabilities. See for example this summary of modeline vulnerabilities in vim. I recall discussions of modeline vulnerabilities in classic vi from comp.unix.security circa 1990.
LaTeX: I don't offhand recall any published vulnerabilites for LaTeX2e itself, but TeX has always been vulnerable to various filesystem-access attacks, and assorted TeX implementations and backends such as MikTeX and pdfTeX have had them. Web-based LaTeX processors have had scads. (And, of course, if you're targeting PDF for output ... well, PDF, y'know? There are probably vulnerabilities in dvi implementations too.)
Mind you, I'd much rather use vim and LaTeX, or LyX, to write documents than Word, which is horrible. But the LaTeX toolchains are very complicated and expecting them to be free of vulnerabilities is naive. Better than MS Office, sure, but nothing's perfect.
Don't mind the dust on this very heavy tablet. Just take it indoors and give it a good brushing. I'll wait outside your yurt while you read it.
I got a Russian phishing e-mail today and, as far as I can tell, somebody forgot to put the payload in it. It was disappointing to have read this article and then find nothing but a messenger contact in all the Word docs. (No, I didn't use Word to check it. Just unzip and cat.)
Obviously it is. Same for the really old version of log4j that ships with SQL server - MS says it's not a problem, but it is as well. Wish we could all dump all the MS "insecure by default" OS and Applications. Any Government or Defense Department on this planet should ban MS software from running on their networks, especially if it's a connected system.
Download patch from www.libreoffice.org.
And so for those of us who actually have to manage sizable desktop estates, eyeing up the options in the admx extensions to extend group policy to cover office, this option stands out:-
https://admx.help/?Category=Office2016&Policy=word16.Office.Microsoft.Policies.Windows::L_WebPages
Would blocking opening HTML in word then defang this attack using existing readily available tools if the attack path is opening an HTML file with malicious code in it?
this is, as usual, a Windows-only problem. It appears to leverage things found only on Windows boxes. So... that means that Word on Macs is. umm, safe? How about the web version of Word? That can work on Windows, and so might be vulnerable... but also works on Macs, and, sort of, on Linux. Can the web version be affected? Enquiring minds want to know. My bowl of popcorn is ready to go.
Boy, Micro$haft really left this latest turd to rot for quite some time. Quelle surprise! Reeks of "security through obscurity."
Macros disabled, there should be nothing more to worry about in Office Fantasyland, except that there is, and most people have no clue about Micro$haft's "URL protocols" and the machinations that it deliberately hides behind them.
The first time that I saw one of these monikers, my reaction was, "Why is M$ obscuring functionality, via this oddball, non-obvious, proprietary, Registry-buried crap?"