LibreOffice is a free use and open source office software package that has a relatively large number of users. Recently, web application security specialists reported a flaw that could compromise the integrity of a system by simply opening a malicious file.
According to reports, this condition exists due
to a code execution vulnerability that, if exploited, could allow a hacker to
inject malware into the compromised system after the user interacts with the
specially crafted file. This software package is one of the most popular
alternatives to the use of Microsoft Office suite and is suitable with Windows,
Linux
and macOS systems.
Just a few weeks ago, LibreOffice developers
released the latest version of their software, adding fixes for two severe
vulnerabilities (tracked as CVE-2019-9848 and CVE-2019-9849). However, hackers
managed to develop a method to bypass newly implemented fixes, mentioned web
application security specialists. Although the details of this
“counter-attack” are still unknown, the impact of the vulnerabilities
is known to remain highly considerable.
The first vulnerability (CVE-2019-9848), still
existing in the latest version, resides in LibreLogo, a vector graphics script
that is delivered by default with the LibreOffice package. This feature allows
users to specify pre-installed scripts in a document that will run under
certain circumstances, such as mouse interactions.
As for the vulnerability, it could allow a
hacker to create a malicious document to execute arbitrary python commands
without the victim being able to detect this unauthorized activity. Nils
Emmerich, the researcher who discovered the vulnerability, even released a proof-of-concept
for exploiting this particular flaw.
Exploitation of the second vulnerability
(CVE-2019-9849) would allow the injection of remote arbitrary code into a
document; the flaw persists even if LibreOffice’s “Stealth Mode” is
enabled. This feature is not enabled by default, but users can turn it on to
tell a LibreOffice document to retrieve remote resources only from trusted
locations.
International Institute of Cyber Security
(IICS) web application security specialists recommend potentially affected
users update or reinstall their LibreOffice versions to remove the LibreLogo
component at least until the company releases the full update patches.
