LibreOffice can make you a hackers victim because a severe unpatched code execution vulnerability. For the next months users should be careful what documents they open with LibreOffice, that’s because LibreOffice contains a severe unpatched code execution vulnerability that could infect your system with malware as soon as you open a maliciously-crafted document file.
If you don’t know already, LibreOffice is one of the most popular alternative to Microsoft Office suite and it’s available for Windows, MacOs and Linux systems.
In July, LibreOffice released the latest version 6.2.5 of its software that addresses two severe vulnerabilities (CVE-2019-9848 and CVE-2019-9849), but the patch for the former has been bypassed, security researcher Alex Inführ claims.
Inführ did not unveil yet the details of the method that allowed him to bypass the patch, the impact of this vulnerability is the same, as explained below.
1.) CVE-2019-9848: This vulnerability, which still exists in the latest version, resides in LibreLogo, a programmable turtle vector graphics script that comes by default with LibreOffice.
LibreLogo allows users to specify pre-installed scripts in a document that can be executed on various events such as mouse-over.
Discovered by Nils Emmerich, the flaw could allow an attacker to craft a malicious document that can silently execute arbitrary python commands without displaying any warning to a targeted user.
“The big problem here is that the code is not translated well and just supplying python code as the script code often results in the same code after translation.”Nils Emmerich
“Using forms and OnFocus event, it is even possible to get code execution when the document is opened, without the need for a mouse-over event.”
Emmerich also released a proof-of-concept for this attack on his blog post.
2.) CVE-2019-9849: This vulnerability, which you can fix by installing the latest available update, could allow the inclusion of remote arbitrary content within a document even when ‘stealth mode’ is enabled.
The stealth mode is not enabled by default, but users can activate it to instruct documents retrieve remote resources only from trusted locations.
How to stay safe
Inführ has already notified LibreOffice team of the bypass issue, but until the team releases a patch to fix the bypass, users are recommended to update or reinstall the software without macros or at least without LibreLogo component, by following the below-mentioned steps.
- Open the setup to start the installation
- Select “Custom” installation
- Expand “Optional Components”
- Click on “LibreLogo” and select “This Feature Will Not Be Available”
- Click Next and then Install the software