Office applications, which include programs for word processing, spreadsheets and creating presentations, are among the most frequently used application programs. Due to their widespread use and attack surface, they are often used as a target for cyberattacks. For example, known vulnerabilities are exploited if the programs have not yet been updated, or malware is executed using embedded macros.

LibreOffice is a widely used office application. In August 2022, the BSI presented a cyber security recommendation with measures for the secure use of LibreOffice in managed and unmanaged environments:

• Sichere Konfiguration von LibreOffice: Empfehlungen für Unternehmen mit einer verwalteten Umgebung
• Sichere Konfiguration von LibreOffice - Empfehlungen für kleinere Unternehmen, Privatanwender und Privatanwenderinnen

Following on from this, security-relevant improvement options were identified, which also represented the objectives for implementation as part of a project:

• Configuration adjustments to increase security by, among other things, deactivating insecure network protocols such as unencrypted HTTP, SMTP and FTP or quickly completely deactivating functions with active content such as DDE commands (Dynamic Data Exchange), macros, LibreLogo scripts and OLE objects (Object Linking and Embedding).
• The consistent implementation of the possibility of fully automatic installation of updates (under the Windows operating system) as a cornerstone of IT security.
• Introduction of a so-called Password Strength Meter to increase password security. In this way, passwords to be created can be quickly evaluated based on criteria such as length, randomness and complexity.
• Support for secure configuration by further improving the expert settings for editing configuration values. This includes the sufficient validation of input values, the marking of finalized values or the implementation of a filter for configuration values that deviate from the default value.
• Implementation of high-performance document encryption based on modern algorithms for encryption and key derivation.

The project initiated by the BSI started in September 2023 and was carried out by two independent contractors. In a first step, the development work in LibreOffice was carried out by the company allotropia software GmbH. An audit of the security features was then carried out by OpenSource Security GmbH.

This ensured a high level of quality and problems could be identified and quickly rectified immediately after development. An additional goal of the project was to examine the extent to which LLMs (Large Language Models) can be used effectively for code analysis. To this end, an LLM evaluated the output generated by a static code analysis tool. The results were then evaluated. The result of the IT security audit is presented in an English-language report: Security Assessment of LibreOffice.

The implemented development work is all available within version 24.8 of LibreOffice, which is scheduled to be generally available from the end of August 2024.