Improvements in LibreOffice security

Thorsten Behrens

Playlists: 'clt24' videos starting here / audio

This talk provides an update on recent & upcoming improvements in LibreOffice, for an even safer operation.

As an office suite with a lot of functionality, as well as lots of ways to throw 'active content' aka macros at it, LibreOffice, just like its commercial brethren, provides a rather large attack surface.

To mitigate that, the German Federal Agency for Computer Security (BSI) has published a best practice handbook for secure deployments of LibreOffice, as well as funded a number of additional improvements. This talk will showcase the most important ones, as well as provide suggestions for further development and security-hardened deployments:

* fully automatic background updates under Windows
* bulk disabling of active content
* non-overridable admin configurations for all of LibreOffice
* better password security, including much-improved ODF document encryption
* disabling and removal of unsafe network protocols

Alongside of the above, the talk will suggest a number of additional best practices - for deploying LibreOffice configured as securely as possible.