While open-source software solutions generally have the reputation of being safer and more secure, they’re not immune to vulnerabilities.
Recently, a pair of serious un-patched code execution vulnerability has been discovered that could result in malware being installed on your system if you’re not careful. In order to take advantage of the flaw, a hacker would need to create a special “poisoned” LibreOffice document and use social engineering tricks to convince you to open it.
While the company behind LibreOffice moved quickly to patch their software, independent security researcher Alex Infuhr has reported that the patch only corrected one of the two issues. In addition, he was able to find a way around the company’s fix for the second.
The first vulnerability resides in LibreLogo, which is a programmable vector graphics script that ships by default with LibreOffice. It allows users to specify pre-installed scripts in a document that can be executed on various events, such as a click or even a mouse hover.
The second issue could allow the inclusion of remote, arbitrary content within a document, even when “Stealth Mode” is enabled. Note, however, that stealth mode is not enabled by default, but users can activate it to instruct documents to retrieve remote resources only from trusted locations. This is the issue that LibreOffice tried to fix but Infuhr found a way around.
If you want to protect your system from this issue, the best thing you can do would be to manually disable the LibreLogo component by opening the setup to begin the installation, then:
- Select “Custom” installation
- Expand “Optional Components”
- Click on “LibreLogo” and select “This Feature Will Not Be Available.”
- Then click “Next” and install the software.
That should take care of it!