Blog

Metadefender Now Supports Content Disarm and Reconstruction for OpenDocument Text

Open Sign

Instead of purchasing the widely used Microsoft Office suite, many users opt to use the free alternatives LibreOffice or Apache OpenOffice. However, these open-source software products contain many vulnerabilities that attackers can use to infect endpoints.

To help keep OpenOffice and LibreOffice users secure, OPSWAT data sanitization (CDR) now supports OpenDocument Text files (ODT), and we are working on adding support for OpenDocument Spreadsheet (ODS) and OpenDocument Presentation (ODP) as well. Data sanitization, or Content Disarm and Reconstruction, removes potentially malicious content from files so that attacks using those files do not work.

OpenDocument Usage and Vulnerabilities

OpenDocument format, the sort name of Open Document Format for Office Applications (ODF), is an XML-based file format used by the two most popular open-source office software suites, Apache OpenOffice and LibreOffice. Both include applications analogous to Microsoft Office applications.

OpenOfficeMicrosoft Office
Writer (ODT)Word (DOC, DOCX)
Calc (ODS)Excel (XLS, XLSX)
Impress (ODP)PowerPoint (PPT, PPTX)

File formats are in parentheses

Both OpenOffice and LibreOffice are used widely, since they are entirely free of any license fees. Their user base comes from all walks of life and includes users in business environments. To illustrate how widely these programs are used: LibreOffice had 310,491 downloads of version 5.2 in a week after releasing, and 410,472 downloads of version 5.3 in a week after release.

However, each release version of these applications also contains many vulnerabilities that can be exploited.

Apache OpenOffice Patched CVEs Bar Graph

Number of patched CVEs in Apache OpenOffice
source: https://www.openoffice.org/security/bulletin.html

LibreOffice Patched CVEs Bar Graph

Number of patched CVEs in LibreOffice
source: https://www.libreoffice.org/about-us/security/advisories/

These vulnerabilities are often highly serious in nature, and because developers working on the projects are volunteers, patches may be delayed. In July 2016, for instance, OpenOffice put out a warning about a vulnerability that had no fix until late August 2016. The vulnerability allowed attackers to execute arbitrary code. At the time Jon Brodkin of Ars Technica noted that "concerns about fixing future security problems remain."

Defend Against Exploits: Content Disarm and Reconstruction for OpenDocument

OPSWAT MetaDefender data sanitization (CDR) now supports OpenDocument Text (ODT) to prevent unknown threats from infecting end user machines through vulnerabilities. The data sanitization process removes objects that may be used by attackers to download and execute malware, such as macros, hyperlinks, embedded objects, and scripts.

A beta version of data sanitization (CDR) for ODT is available on MetaDefender Core v4 and will be on MetaDefender Core 3.14.3 soon.

In the near future, we will add support for OpenDocument Spreadsheet and OpenDocument Presentation.

We are excited to keep adding to the number of file types our data sanitization supports, and to help keep a wider variety of end users, endpoints, and networks secure.

If you have any feedback or questions about this new functionality, please contact us and let us know.

Coming soon: Deep dive on OpenDocument data sanitization