285 software vendors have fixed 923 vulnerabilities in their products thanks to High-Tech Bridge Security Research Lab.
Patch Available Upon Disclosure
|2014 Q1: 93%||2013 Q2: 92%|
|2013 Q4: 67%||2013 Q1: 100%|
|2013 Q3: 77%||2012 Q4: 68%|
Vendor Average Time to Patch
|2014 Q1: 5 days||2013 Q2: 30 days|
|2013 Q4: 8 days||2013 Q1: 13 days|
|2013 Q3: 13 days||2012 Q4: 26 days|
Multiple Vulnerabilities in LibreOffice
|Vulnerable Versions:||22.214.171.124 and probably prior|
|Advisory Publication:||July 26, 2012 [without technical details]|
|Vendor Notification:||July 26, 2012|
|Vendor Fix:||October 18, 2012|
|Public Disclosure:||October 31, 2012|
|Latest Update:||October 23, 2012|
|Vulnerability Type:||NULL Pointer Dereference [CWE-476]|
|CVSSv2 Base Score:||2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)|
|Solution Status:||Fixed by Vendor|
|Discovered and Provided:||High-Tech Bridge Security Research Lab|
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in LibreOffice which could be exploited to perform denial of service (DoS) attacks.
1.1 NULL pointer dereference error was found in the vcllo.dll while processing .odt files. A remote attacker can create a specially crafted .odt file, trick a user into opening that file and terminate the application.
First chance exceptions are reported before any exception handling.
eax=6cd6e982 ebx=050d1e20 ecx=00b4f404 edx=000000d6 esi=00b4f404 edi=00b4f2d8
Access violation occurs in the svxcorelo!sdr::contact::ViewObjectContact::getPrimitive2DSequence+0x39: function when the application tries to call the EDX+4 pointer. Since EDX value is not properly set, this causes a bad-pointer dereference.
67302686 ff5204 call dword ptr [edx+4] ds:0023:00000004=???????? Crash
After studying the crash the problem arises after the application renders the page and accesses for the forty-third time the following function.
The EDX register inherits its value from the previous mov edx,dword ptr [eax] instruction. When a non-well formatted ODG file is opened, the EAX register passes a wrong pointer to EDX which leads to a bad-pointer dereference in the call dword ptr [edx+4] instruction.
The malformed PPT file calls the tllo!Polygon::Polygon function and makes a subsequent call to the MSVCR90!memcpy procedure. The procedure inherits the value from the ESI pointer which references to an invalid or corrupted memory which leads to crash of entire application.
Please see the attached file: HTB23106-PPT.rar
The error is triggered when application makes call to the scfiltlo!scfilt_component_getFactory function to process the malformed Microsoft XLS file.
eax=00000001 ebx=00000000 ecx=00000000 edx=00000002 esi=00a4b9a8 edi=0000ffff
The crash occurs at address 0x5fa46a51 when the value of the ESI pointer is transferred into the ECX register. This value is always set to null which leads to crash of entire application.
Please see the attached file: HTB23106-XLS.rar
In a web-based scenario, an attacker could host a file on a website or WebDav share and trick a user into downloading and opening this file.
In an email scenario, an attacker could exploit this vulnerability by sending an email with attached malicious file.
|Upgrade to LibreOffice 126.96.36.199|
| High-Tech Bridge Advisory HTB23106 - https://www.htbridge.com/advisory/HTB23106 - Denial of Service Vulnerability in LibreOffice|
 LibreOffice - http://www.libreoffice.org - LibreOffice is the power-packed free and open source personal productivity suite for Windows, Macintosh and GNU/Linux.
 Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVEÂ® is a dictionary of publicly known information security vulnerabilities and exposures.
 Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.