back to article LibreOffice patches malicious code-execution bug, Apache OpenOffice – wait for it, wait for it – doesn't

A security flaw affecting LibreOffice and Apache OpenOffice has been fixed in one of the two open-source office suites. The other still appears to be vulnerable. Before attempting to guess which app has yet to be patched, consider that Apache OpenOffice for years has struggled attract more contributors. And though the number …

  1. Warm Braw Silver badge

    The exploit was tested on Windows but should work on Linux

    Bugs bad. Platform-independence good. Brain hurts.

    1. steelpillow Silver badge
      Pint

      Re: The exploit was tested on Windows but should work on Linux

      LOL. Icon to erase hurt.

    2. Archtech Silver badge

      Re: The exploit was tested on Windows but should work on Linux

      "Bugs bad. Platform-independence good. Brain hurts".

      Thank you for brilliantly condensing at least a chapter of closely-argued text into seven words.

      I may have to quote your lucid formulation many times, as I have never seen any way of saying it that was a tenth as good or a hundredth as short.

  2. overunder

    Tried Libre about 3 weeks ago....

    ... and as far as this person is concerned, who needs MS office and why? I think that if someone *thinks* they need MS office now, in 2019, they're probably much better off employing a programmer to "handle" all the transparency (god help that programmer though). Even if you have to pay a little more, at least the programmer can also do non-MS Office stuff*. I mean somebody has to understand all that "cloudy" magic stuff right (and possibly put you on a less dependent path than just the cloud).

    *stuff: the technical term for making something out of thin air that otherwise seems to be just a natural implicit of functionality that people already assume exists... you know, stuff like that.

    1. Zippy´s Sausage Factory
      Windows

      Re: Tried Libre about 3 weeks ago....

      I'm forced by work to have Office 365 installed. I keep Libre around so I can actually get some work done. *sigh*

      1. Captain Scarlet Silver badge
        Trollface

        Re: Tried Libre about 3 weeks ago....

        It should be called Office 363 (2 posts On The Register exist for outages this year, when the next one comes along Office 362!).

        1. vtcodger Silver badge

          Re: Tried Libre about 3 weeks ago....

          Is the nomenclature different in leap year? e.g. Office 366 ... 365 ... 364 ...

          1. Captain Scarlet Silver badge

            Re: Tried Libre about 3 weeks ago....

            hmm good point, I think someone from The Register should confirm (As I am using their "nickname" about Office 365 - new articles of downtime)

    2. Lee D Silver badge

      Re: Tried Libre about 3 weeks ago....

      You can easily run just about any business from Libre, Google Docs, etc.

      You don't "need" Office. You "want" Office, because you have decades of legacy documents that you tinker with incessantly rather than use a proper system or have to re-do them. I've literally walked into companies that are entirely reliant on spreadsheets that they have *no idea* how they work, or how to fix them when they don't. Some guy made it 20 years ago, it gives us the numbers we want, therefore we're happy so long as it keeps doing that forever, so why would we change to something like LibreOffice that it might not work on?

      It's a sign of an outdated business process to not be able to move your software occasionally. It means you're tied in and don't review the longevity or safety of such arrangements to process the data you want. This is why banks are still stuck on COBOL, have difficulty transitioning away from it, and can't hire staff who know how it all works. Because they don't do it often enough, they only do it when everything collapses around their ears.

      Libre is more than adequate. As an IT guy I ran Windows networks when my personal machine only had OpenOffice (though I wouldn't recommend that now because Libre is so far ahead). 99% of people will happily use Libre and not even notice. 99% of people will happily go to Google Docs and not even notice.

      It's just a question of whether they understand "Occasionally, I have to learn something new, no matter how minor that is" versus "I only understand one thing, and that incompletely, and I can never, ever, ever move off that because everything will collapse and burn around me".

      The biggest difficulty comes from pillocks who say you have to use X "because". Or try one thing, badly, once, decades ago, and never touch it again for the rest of their lives (e.g. everyone who says "Oh, you don't want to use Linux", etc.).

      If the Microsoft activation service blew up tomorrow, if they lost the source code to everything and couldn't re-create it, if we were literally left without MS Office... there'd be a bit of inconvenience, we'd push out alternatives and we'd be back and working quickly and a year on would have forgotten all about it.

      Yet I still see people buy an iPad and then "buy" the Microsoft Office apps for it "because you have to have those, don't you?".

      1. steviebuk Silver badge

        Re: Tried Libre about 3 weeks ago....

        You don't want Google Docs. It's fucking awful. The only decent thing in the GSuite, which you can get for free as well, is Google Keep. Very useful.

        1. jelabarre59 Silver badge

          Re: Tried Libre about 3 weeks ago....

          You don't want Google Docs. It's fucking awful.

          I don't know, it's adequate for my fanfiction (and some original fiction as well). I just make sure to run Odeke's "drive" utility regularly to keep local ODT/PDF backups of all my documents.

    3. Primus Secundus Tertius Silver badge

      Re: Tried Libre about 3 weeks ago....

      Libre Office is fine if you are working alone; and simple letters and essays can be exchanged with the Rest of the World.

      But try that with complicated documents, containing tables, lists, footnotes, pictures, drop caps, page numbers, sections in two-column format, various fonts, an index and a table of contents -- and one or more minor details will be wrong. For one document, you can fix it; but for a dozen documents a day it is too much. These tend to be important documents with a life of many years, shared by many people.

      If Libre Office ruled the world, it would be a Microsoft problem of course.

      1. Anonymous Coward
        Anonymous Coward

        Re: Tried Libre about 3 weeks ago....

        Several of my clients work with Libre Office and use documents with tables, lists etc. and they seem quite happy.

        I wouldn't say it was bug free but I've also found odd problems with Word when working with complex documents.

      2. holmegm

        Re: Tried Libre about 3 weeks ago....

        I've had complex Word docs go just as wrong between different versions of Word, and so forth. That's a bit of a red herring.

        1. Paul Shirley

          Re: Tried Libre about 3 weeks ago....

          I had uncomplex Word documents go wrong between the cut and the paste!

        2. Joe Montana

          Re: Tried Libre about 3 weeks ago....

          I've had complex word documents go wrong between the mac and windows versions of word.

          I've had complex word documents go wrong between different patch revisions of the same base version (ie installing security updates).

          I've had complex word documents go wrong between the same patch level on different machines..

          These formats are simply too complex and poorly documented to render reliably. Sometimes libreoffice actually makes a better job of rendering a document than a given version of word, especially if you have very old documents or documents which have got corrupted.

    4. luminous
      FAIL

      Re: Tried Libre about 3 weeks ago....

      Have they fixed the bug where embedding a screenshot blurs the image enough to render it unreadable?

      That was pretty much the sole reason I bought Office 365. I was urgently sending a client records of emails using screenshots and in LibreOffice I couldn't read the text. Gave up and installed Office.

      1. Captain Scarlet Silver badge
        Stop

        Re: Tried Libre about 3 weeks ago....

        ....

        You purchased Office because of an issue with screenshots?

        If it was screenshots of emails why not print them as a PDF, or if you have to have a screenshot use the Windows snipping tool?

        P.S Why in gods name do people send screenshots in Word, its infuritating having to zoom in to look at someones screenshot, its almost as bad as when people actually print out their screen and then scan it in using a scan to email device.

        1. luminous

          Re: Tried Libre about 3 weeks ago....

          Because I was making a report which was referencing emails and it's much easier if everything is in chronological order instead of constantly referring back to other pages.

          I did use the Windows snipping tool (and only selected the emails). When importing them into LibreOffice they get so heavily compressed that they become illegible. I mean this is basic stuff that should work out of the box.

          I'd also become frustrated with incompatibility with LibreOffice and documents that I was sent. It would be great if they all talked to each other and used roughly the same specs but they don't and I get that that is mostly Microsoft's fault. That being said, I just need to get work done, and in this particular case it was very urgent. I didn't have the time to file a bug report and wait to see if someone might fix it in a future release, and all my clients use Office or Pages. I don't have a single one on LibreOffice.

          1. Captain Scarlet Silver badge

            Re: Tried Libre about 3 weeks ago....

            Do the emails have graphical elements to them (Unless its very graphical I can't see why you can't just copy and paste the text, it obviously has the advantage of being much smaller in filesize)?

            When most of the programs first started, such as Word Perfect, Lotus Smart Suite etc... there probably wasn't any standards available. The only ones I can think of are HTML (Hidious every single one of them) and PDF (Normally as an export) and RTF (Although this was between Microsoft products such as Windows Write, Word and Works)

            1. luminous

              Re: Tried Libre about 3 weeks ago....

              There were few graphic elements (a tweet screenshot, an Office 365 calendar invite, a MacOS settings window) but it was certainly easier to read broken up into my own text annotations followed by screenshots. Of course I know that it would be easy to change the content of an email screenshot, but it does look more legitimate to the average client as a screenshot rather than just endless lines of text that can easily be edited my anyone. It's also a lot easier to read.

              There's still no excuse for compressing imported images so much; it's not like we are loading 20 floppy disk drives in to do one task anymore; we all have plenty of storage.

              LibreOffice handles the importing of text fine, but it's when you come to colours (they are completely different), page layouts, overlapping elements that it fails in being able to import. For example a client recently sent me a multi-coloured word document that would be the homepage of their website where the colours have to be exactly right.

              The situation is far from ideal but you just end up using the software that best equips you personally to get your own job done.

              1. Captain Scarlet Silver badge

                Re: Tried Libre about 3 weeks ago....

                "my own text annotations"

                Right ok from the first post I just assumed just slapping screenshots of emails on. If you are breaking up the images and making annotations then I have to agree a Word processor is the best tool for the job.

                Personally MS Office annoys me with how badly it bloats documents with any image elements, any documents I paste screenshots I find I then have to use the compress image tool (Also I no idea how LibreOffice handles it, so I can't comment on that).

      2. Palpy

        Re: Tried Libre ... screenshots.

        Hm. I embed a whopping lot of images, including screenshots, but all are cropped and notated and therefore saved as jpg or png. Or pdf. No problems with LibreOffice there, images clear and sharp.

        Before I retired I created a lot of docs with images, but there again, they were more or less elaborately notated and altered using other programs.

    5. rg287

      Re: Tried Libre about 3 weeks ago....

      ... and as far as this person is concerned, who needs MS office and why?

      Mostly right. I did become acutely of just how refined Excel is under the hood not so long ago when someone sent me a huge file with >100k rows.

      Excel for Mac didn't miss a beat. LibreOffice Calc died on it's arse.

      I will concede that there's a case to be made for not handling that sort of data in Excel in the first place, but obviously shifting technologies can be an expensive and time-consuming endeavour for a long-standing workflow (more than the cost of an Excel licence!). If nothing else though, it gave me an appreciation of the work and pride that the Excel dev team have obviously put in over the years developing a very slick, efficient application that - to a casual observer - is easily replaced with LibreOffice, but in truth will outpace the alternatives when you load it up heavily.

      For the 99th percentile however, spot on. LibreOffice provides more than adequate support for Word Processing, Spreadsheets and presentations, though at a meetup I frequent it seems a lot of people are using Google Slides or the Live version of Powerpoint to run presentations these days rather than a local client - makes sharing slides/notes trivial afterwards.

      1. Anonymous Coward
        Anonymous Coward

        Re: Tried Libre about 3 weeks ago....

        I just opened a 150K row spreadsheet in Calc and it seems OK. I've had problems in Excel with large spread sheets but I think that was more down to memory limits on the PC than Excel.

        1. Captain Scarlet Silver badge

          Re: Tried Libre about 3 weeks ago....

          Its just a way to make Accountants go "BAH WE NEED BIGGER SPREADSHEETS BUY NEW VERSION NOW!!!!"

      2. imanidiot Silver badge

        Re: Tried Libre about 3 weeks ago....

        I'm of the opinion that if you're using that many row in an excel sheet you shouldn't be using excel but something more adapt at handling massive data sets and complex math operations on those sets. Something like MatLab ($$$, great documentation and service) or SciLab (Free, open source, but terrible documentation) or something along those lines. Much faster, and allows all kinds of funky stuff that is sometimes hard to pull off in excel.

        1. Joe Montana

          Re: Tried Libre about 3 weeks ago....

          This is very true, however many people who are expected to perform such tasks are given a standard corporate desktop on which excel is the closest they have. Instead of trying to find an appropriate tool for the job, they make do with what they have.

      3. Palpy

        Re: Excessively large spreadsheets...

        Yes. Older versions of Office had a fairly stringent limitation on rows. That was much eased at some point. I would not be surprised if Libre and Open Office still have similar limits, but I haven't tested it.

        Well, huge spreadsheets are unwieldy, whether in Exel or Libre. No way around it. Sometimes if you just want a simple calc on a column it's ergonomic to use a spreadsheet application, though.

        When I was still working, large -- million-line -- data sets were mostly useful to me when visually scanning for patterns or anomalies. Trending large data sets in Excel is worthless. Worthless. You can wait 5 minutes for a big trend to refresh when you zoom it. I used KST2, which trends multi-million line csv files beautifully, and allows virtually instantaneous zooming and scrolling.

        Our data guy expressed vituperative hatred for Excel, and used profession stat analysis tools exclusively.

        But one does what one must. Sometimes one does not want to learn a complex new application just to do one thing.

    6. the spectacularly refined chap

      Re: Tried Libre about 3 weeks ago....

      I'm in two minds. One thing I do notice when switch between Libre/OpenOffice and MS Office is that the free alternatives are painfully slow in comparison. I hate to say it but it is one thing MS have got right.

      On the other hand MS are doing their level best to make using Office as slow and cumbersome as possible with stupid UI decisions, whether it be the Ribbon and the constant tab switching that involves or the "Shove more service in your face" decisions such as presenting cloud storage almost as the default save location and making navigating local directory hierarchies a ballache.

      1. Peter X

        Re: Tried Libre about 3 weeks ago....

        painfully slow in comparison

        LibreOffice 6-something on Ubuntu 18.04 seems kind of slow opening and saving pretty simple spreadsheets (48K spreadsheet, 2 actual sheets, 1 with chart, the other with ~365 rows with ~ 6 columns).

        Not insane slow, but we're talking 4 or 5 seconds which is just annoying really.

        I'm thinking about going back to LO 5, not least because there's also a problem with the chart-wizard on the Ubuntu/LO6 build.

    7. elgarak1

      Re: Tried Libre about 3 weeks ago....

      Sadly, a lot of people expect that document submission and discussion needs to be done with .doc/.docx. Now, you and I probably know that this is foolish as the file format is ill-suited for exchange (for instance, but not limited to, having serious machine and work history dependent content that has nothing to do what is intended to be exchanged), and frequently can result in corruption.

      If this happens, and you admit not using Word, guess who gets the blame. (Never mind that one can produce a .doc/.docx file without using Word, and THAT file is nearly foolproof to be not corrupted. But once this file has been going through a Word install, all bets are off.)

    8. Carpet Deal 'em
      Big Brother

      Re: Tried Libre about 3 weeks ago....

      One word: Outlook. The rest of the Office suite is and always was easily replaced, but I don't know of any other email clients that offer anything approaching Outlook's feature set.

      1. jelabarre59 Silver badge

        Re: Tried Libre about 3 weeks ago....

        One word: Outlook. The rest of the Office suite is and always was easily replaced, but I don't know of any other email clients that offer anything approaching Outlook's feature set.

        I don't know, would have preferred if Microsoft had gome with Mozilla's engine rather than Chromium/blink when they gave up on Edge. They could have used the same codebase (Thunderbird) to replace Outlook (really would only need to fine-tune the Exchange extension)

  3. JohnFen Silver badge

    Of course

    LibreOffice became superior to OpenOffice in pretty much every way years ago.

    1. WonkoTheSane
      Thumb Up

      Re: Of course

      "LibreOffice became superior to OpenOffice in pretty much every way years ago."

      I'd say that occurred almost immediately after LibreOffice was forked.

    2. Charlie Clark Silver badge

      Re: Of course

      At least on MacOS I find LibreOffice to have more features but also lots more bugs, making it much less reliable. It also has an absolutely awful UI. The licence switch in LibreOffice has also made it much more difficult to share code which is a practical issue since LO has received grants for work that is supposed to be for both projetcs,

      Much as it pains me to say it: Microsoft has got lots of things right in Office >= 2016, which I have for compatibility testing. And Microsoft just owns mobile.

      1. Julz

        Re: Of course

        I guess that is in the UI of the beholder.

      2. Anonymous Coward
        Anonymous Coward

        Re: And Microsoft just owns mobile

        As a (soon to be former) user of Windows Phone / Windows Mobile, please excuse me when I say, 'wtf?'

        1. Charlie Clark Silver badge

          Re: And Microsoft just owns mobile

          please excuse me when I say, 'wtf?'

          To be clear: Microsoft owns Office on mobile. This is why they could afford to kill Windows Phone.

      3. Paul Shirley

        Re: Of course

        It's quite astonishing how Microsoft can suddenly improve when competition comes knocking on the door. Or not.

    3. TVU Silver badge

      Re: Of course

      "LibreOffice became superior to OpenOffice in pretty much every way years ago"

      The ultimate logic of this whole situation is for OpenOffice to be merged with LibreOffice which is the most efficient thing to do under the circumstances.

      If someone really needs MS compatibility then other options are available to like WPS/Kingsoft Office, Softmaker Office, FreeOffice and OnlyOffice.

      1. JohnFen Silver badge

        Re: Of course

        "The ultimate logic of this whole situation is for OpenOffice to be merged with LibreOffice which is the most efficient thing to do under the circumstances."

        Why? What would be the benefit of that?

        1. Charlie Clark Silver badge

          Re: Of course

          OpenOffice actually got some pretty nice stuff from IBM's Symphony project.

          1. JohnFen Silver badge

            Re: Of course

            OK, but that isn't an argument for merging the two. I think we need more software diversity, not less.

            1. Charlie Clark Silver badge

              Re: Of course

              The only argument for the split was that it was unclear what Oracle was going to do with it. In the end it spat it out. When it comes to Office software packages there is quite a choice, not sure I really follow the logic of wanting to keep the split going for that reason. There might be other technical reasons for maintaining it but a common core with reciprocal licensing would be a good idea.

              1. JohnFen Silver badge

                Re: Of course

                "When it comes to Office software packages there is quite a choice"

                Is this actually true? It doesn't look like it from where I sit.

                "not sure I really follow the logic of wanting to keep the split going for that reason"

                I wasn't proposing that as a strong reason, merely a sufficient reason in the absence of a good argument for merging them. What you say here approaches being a good argument.

                1. Charlie Clark Silver badge

                  Re: Of course

                  MS Office, Libre & Open, Softmaker, Apple's stuff, Google's online stuff, the Gnome and KDE toys. More importantly, toolchains are replacing Office for a lot of tasks (things like Jupyter + Pandas instead of Excel) so the need for MS Office to get stuff done is declining, though it's still used for reporting and interchange.

                  1. JohnFen Silver badge

                    Re: Of course

                    Hmm. Perhaps we're talking about different things here. I see the options as being MS Office, Libre & Open. I don't know anything about Softmaker, though, so that might count too. Apple's stuff doesn't count because that's Apple-only, Googles (or Microsoft's) online stuff doesn't count to me at all (a web service does not adequately replace a native application of this sort), and the Gnome and KDE toys don't even come close -- they are good, but really aimed at an entirely different use case.

                    I'll admit that I haven't done a comprehensive survey of options, though, so I'm likely simply ignorant of them. LibreOffice meets my needs very well, so I have no motivation to look at alternatives.

              2. MacroRodent Silver badge

                Re: Of course

                The only argument for the split was that it was unclear what Oracle was going to do with it

                As I remember it, other reasons included difficulty of getting contributions to OpenOffice, and an ultra-painful build system. After the split, the LibreOffice developers did a lot of cleaning up and replaced the build system. As a result, some LibreOffice releases are less bloated and faster than their predecessors, which is practically unheard of in software development!

                The cleanups and refactoring probably also make it impossible to consider any common core. At this stage, the best solution is to just rm -rf OpenOffice .

        2. jelabarre59 Silver badge

          Re: Of course

          "The ultimate logic of this whole situation is for OpenOffice to be merged with LibreOffice which is the most efficient thing to do under the circumstances."

          Why? What would be the benefit of that?

          I've tended to look at OpenOffice as the semi-official "reference implementation" for the OpenDocument specification. Not necessarily meant to be actually used in real-world application, but just to define an example of how the specification could be used.

  4. Grease Monkey

    Spoilers?

    "Before attempting to guess which app has yet to be patched, consider that..."

    ...we told you in the best headline.

  5. Walter Bishop Silver badge
    Linux

    Where is calc.exe on my computer?

    calc.exe

    1. Hans 1 Silver badge
      Happy

      Re: Where is calc.exe on my computer?

      You can do something py-funny like delete the user's homedir, recursively, platform-independently in python, you know ...

  6. Mr Benny

    Someone please explain...

    ... Why is the functionality to run python scripts from within a text document required in the first place? Yes, VBA etc, but I thought

    most people agreed that was a fairly idiotic thing to include into a word processor so why have libre office followed suite with an

    even more powerful scripting language?

    1. Steve Graham

      Re: Someone please explain...

      Abso-bloody-lutely. And if a few users need it, then ship with the functionality disabled by default.

    2. David Nash Silver badge

      Re: Someone please explain...

      Isn't that the point of the article?

    3. vtcodger Silver badge

      Re: Someone please explain...

      It may be unusual to use a scripting language in a text document. I can't recall ever doing that or even wanting to do that. But let me assure you that the folks that control your budget are not going to be pleased if you don't give them a scripting tool in their spreadsheets.

      No, sir.

      Not pleased at all.

    4. Joe Montana

      Re: Someone please explain...

      Because some people actually need macros, although they are generally best avoided...

      If you are going to implement a scripting language in your application, what makes more sense?

      1, inventing your own proprietary scripting language that's only used by your application suite forcing anyone who wants to write macros to learn something new thats not reusable elsewhere.

      2, build on an existing language which is already widely known and supported.

      1. PhilDin

        Re: Someone please explain...

        It certainly makes sense to build on an existing language, an ideal scenario would be that you can plug into any script interpreter on the host system but the universe of the script should begin and end with the loaded document. No accessing the filesystem or remote resources, no requesting permissions or granting signed scripts access; the filesystem and network should just not exist for document scripts.

        If the script runs in a virtualised environment then this sandboxing wouldn't have to depend on the interpreter, it would depend on the host operating system's ability to constrain a process which should be quite well established.

  7. jelabarre59 Silver badge

    correction

    The Register tried to reach two OpenOffice contributors to find out what's going on. We've not heard back.

    There, FTFY.

  8. oooForum
    Thumb Down

    Fake news

    OpenOffice is not vulnerable by this PoC.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019