Weird Unofficial LibreOffice Version Shows Up in the Microsoft Store

A unofficial version of LibreOffice shows up in the Microsoft Store. The app was published by an obscure developer under the name ".net." There is no additional information about the developer. Clicking on the URL takes you to another app by the developer named "dress my doll."

How did this app make it into the store? Given the volume of apps submitted to Microsoft Store, App Store, and Google Play, it's virtually impossible for these vendors to vet each app manually. They all have an automated process.

Microsoft also has a certification process (https://docs.microsoft.com/en-us/windows/uwp/publish/the-app-certification-process): "When you finish creating your app's submission and click Submit to the Store, the submission enters the certification step. This process is usually completed within a few hours, though in some cases it may take up to three business days. After your submission passes certification, it can take up to 24 hours for customers to see the app's listing for a new submission, or for an updated submission with changes to packages. If your update only changes Store listing details, the publishing process will be completed in less than an hour. You'll be notified when your submission is published, and the app's status in the dashboard will be In the Store."

It's not clear if Microsoft also validates the authenticity of the app. It's not surprising that an app like LibreOffice would slip through the certification process and be available to users. Since LibreOffice is a fully open source project, anyone can compile it and redistribute the app, as long as they follow the terms of the license.

I reached out to The Document Foundation (TDF), the organization responsible for LibreOffice, and Italo Vignoli, one of the cofounders of TDF told me, "The Document Foundation has been made aware of an unofficial version of LibreOffice on the Windows [Microsoft] Store. We are investigating further, but we want to be clear: This is not an official version created by The Document Foundation, so the app's page is misleading. The only official source of the software (which can be downloaded for free, i.e., without any cost for the end user) is the LibreOffice website (https://www.libreoffice.org/). Also, the money from the Microsoft Store version is not collected by The Document Foundation."

My advice is to not download and install the app from Microsoft Store as we are unsure if there is any malicious code in it. Microsoft says it checks for malicious code before any app is published; it's better to be safe than sorry.

New Version of the Spectre Vulnerability Allows Attack from the Network

Monthly reports of new Spectre-related vulnerabilities are keeping security experts busy. Now a team of security researchers at the Graz University of Technology (Austria) has discovered another flaw, dubbed NetSpectre, that allows attacks over the network.

The crux of Spectre vulnerabilities is the way modern CPUs speculate on which workload will run next to improve performance. According to the team, "During speculative execution, the processor may perform operations the program usually would not perform. While the results of such operations are discarded if the speculative execution is aborted, microarchitectural side effects may remain."

Attackers exploit these side effects to read memory contents. Previous versions of the Spectre attack have required some kind of local code executive to launch the attack, but the latest discovery changes that.

"NetSpectre marks a paradigm shift from local attacks to remote attacks, exposing a much wider range and larger number of devices to Spectre attacks. Spectre attacks now must also be considered on devices which do not run any potential attacker-controlled code at all," wrote the researchers.

The team informed Intel back in March, and Intel has patched the problem during previous patches released by the company. The best available defense is to keep your systems up to date and install all security patches.

SUSE Sold for $2.5 Billion

SUSE is like a seasoned football player who changes ownership after a few successful seasons. This time the Swedish group EQT is buying SUSE from British-owned Micro Focus. This is the fourth sale of SUSE since its inception in 1992, a year after Linus Torvalds announced the Linux kernel.

What's different this time is that SUSE is being acquired by an investment firm and not a tech company. SUSE CEO, Nils Brauckmann, sees this as a move towards independence, with the company charting its own course instead of being a business unit of another tech company. "By partnering with EQT, we will become a fully independent business," said Brauckmann. "Together with EQT, we will benefit both from further investment opportunities and having the continuity of a leadership team focused on securing long-term profitable growth combined with a sharp focus on customer and partner success."

SUSE is well aware of the fact that the open source community will be keeping a close eye on this development. In a Hangout chat, Richard Brown, openSUSE Board Chairman, and the face of openSUSE community, told me that he received a phone call from Brauckmann updating him with the news and also reassuring him that nothing will change when it comes to open source and community engagement.

"As a SUSE employee, I'm excited about my employer's new owners. As an openSUSE Contributor, I'm not only excited, but thrilled at the proactive steps SUSE has taken to reassure the community, which really shows just how well SUSE understands how to operate as part of the open source world," Brown said.

In case you are curious, EQT is an investment firm with approximately EUR50 Billion in raised capital across 27 funds. EQT has portfolio companies in Europe, Asia, and the US with total sales of more than EUR19 Billion and approximately 110,000 employees.