LibreOffice Vulnerable to Remote Code Execution Flaw
Security researcher Alex Inführ has discovered a vulnerability in OpenOffice and LibreOffice that allows remote code execution.
In a blog post, Inführ wrote that he found a way to achieve remote code execution as soon as a user opens a malicious ODT file and moves their mouse over the document, without triggering a warning dialog.
He demonstrated proof of concept, in which he created a hyperlink and changed its color from the default blue to white so it would not raise suspicion. The link covered the whole page, increasing the chance of the user hovering the mouse over it. Remember, no clicking was needed, just hovering the mouse over the hyperlink was required to execute the payload.
The culprit here is the Python interpreter (pydoc.py) that comes with LibreOffice. It accepts commands and executes them via command line.
LibreOffice has already released a patch; a patch is also available for Windows versions of OpenOffice.
Related content
-
News for Admins
F5 Acquires NGINX for $670 Million; No One Is Safe – Citrix Networks Breached; A 19-Year-Old Bug in WinRAR; An Image Can Compromise Your Android Device and LibreOffice Vulnerable to Remote Code Execution Flaw
-
News for Admins
In the news: StarlingX 8.0 Edge Platform; Synopsys Report Shows "Alarming" Increase in High-Risk Vulnerabilities; Akamai Connected Cloud; Red Hat Enterprise Linux Available on Oracle Cloud; Wine 8.0; LibreOffice 7.5; Veracode Report Tracks Security Flaws Over the Application Lifecycle; and Malware Remains Top Cause of Cybersecurity Incidents. - LibreOffice 7.5 Released
- Serious Flaw in Microsoft Word is Being Used to Install Malware
- LibreOffice 4.4 Arrives
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
