LibreOffice Urges Users to Update Following Newly Discovered Vulnerabilities
LibreOffice, a widely used open-source office suite, has released an urgent update to its software, versions 6.2.6 and 6.3.0, in response to a series of critical vulnerabilities. The patches address three newly discovered security flaws that could potentially enable attackers to circumvent existing defenses against previously identified vulnerabilities.
The update comes on the heels of growing concerns within the cyber community, especially as LibreOffice is a favored alternative to Microsoft Office, providing compatibility across Windows, Linux, and macOS platforms. Recent reports from The Hacker News have underscored the risks, indicating that users who do not update may expose themselves to significant threats.
One of the primary vulnerabilities, identified as CVE-2019-9848, pertains to a code execution flaw within LibreLogo, a built-in programmable vector graphics tool. This vulnerability allows attackers to craft malicious documents capable of silently executing arbitrary Python commands without alerting the user. Despite previous attempts to patch this issue, recent disclosures revealed that the solutions were inadequate, enabling researchers to exploit two new vulnerabilities that re-enable the attack vector.
The first associated vulnerability, tracked as CVE-2019-9850, arises from insufficient URL validation. Discovered by security researcher Alex Inführ, this weakness permits malicious scripts to exploit the protection mechanisms intended to address the earlier flaw. By manipulating URL structures, attackers can directly invoke LibreLogo through script event handlers, thus reintroducing the threat.
Another vulnerability, labeled CVE-2019-9851, was identified by Gabriel Masei. This issue lies within the functionalities that allow documents to specify pre-installed scripts, similar to LibreLogo. These scripts can be activated by global events, such as when a document opens, creating additional avenues for exploitation.
Furthermore, the patch for a prior vulnerability—CVE-2018-16858, which was addressed in February—has also been successfully bypassed. This vulnerability allowed directory traversal attacks, enabling attackers to execute scripts from arbitrary locations on a user’s file system. A related flaw, CVE-2019-9852, discovered by researcher Nils Emmerich, reveals that an encoding attack could again compromise the earlier patch, allowing the directory traversal or remote code execution capabilities to return.
Businesses utilizing LibreOffice are strongly advised to apply these updates promptly to mitigate potential risks. Failure to do so puts organizations at risk of remote attackers executing harmful commands on compromised systems, simply by tricking users into opening maliciously crafted documents.
In terms of potential tactics and techniques utilized during these attacks, the MITRE ATT&CK framework provides an insightful lens. Notable tactics that may apply include initial access through malicious document exploitation, persistence via the use of scripting languages, and privilege escalation through command execution from within documents. It is essential for business owners to remain vigilant and proactive, ensuring that their software is always up to date to protect against evolving cyber threats.
As the cybersecurity landscape continues to evolve, staying informed and prepared is paramount for all organizations.