Skip to main content

Security Flaw Found In Open Source Office Program LibreOffice

By August 10, 2019May 16th, 2022Cybersecurity

Do you use LibreOffice? It’s an open source clone that’s functionally similar to Microsoft Office that has grown quite popular over the years. It is available for Windows, macOS and Linux systems.

While open-source software solutions generally have the reputation of being safer and more secure, they’re not immune to vulnerabilities.

Recently, a pair of serious un-patched code execution vulnerability has been discovered that could result in malware being installed on your system if you’re not careful. In order to take advantage of the flaw, a hacker would need to create a special “poisoned” LibreOffice document and use social engineering tricks to convince you to open it.

While the company behind LibreOffice moved quickly to patch their software, independent security researcher Alex Infuhr has reported that the patch only corrected one of the two issues.  In addition, he was able to find a way around the company’s fix for the second.

The first vulnerability resides in LibreLogo, which is a programmable vector graphics script that ships by default with LibreOffice.  It allows users to specify pre-installed scripts in a document that can be executed on various events, such as a click or even a mouse hover.

The second issue could allow the inclusion of remote, arbitrary content within a document, even when “Stealth Mode” is enabled.  Note, however, that stealth mode is not enabled by default, but users can activate it to instruct documents to retrieve remote resources only from trusted locations. This is the issue that LibreOffice tried to fix but Infuhr found a way around.

If you want to protect your system from this issue, the best thing you can do would be to manually disable the LibreLogo component by opening the setup to begin the installation, then:

  • Select “Custom” installation
  • Expand “Optional Components”
  • Click on “LibreLogo” and select “This Feature Will Not Be Available.”
  • Then click “Next” and install the software.

That should take care of it!

Chris Forte

Chris Forte, President and CEO of Olmec Systems, has been in the MSP workspace for the past 25 years. Chris earned his Master’s Degree from West Virginia University, graduating Magna Cum Laude. He was a past member of the Entrepreneurs’ Organization, a current member of the New Jersey Power Partners and Executive Association of New Jersey, where he has previously served on its board of directors. In his spare time, Chris enjoys traveling with his family. He also admits to being a struggling golfer and avid watcher of college football and basketball. He currently lives in Boonton Township, NJ with his wife, two daughters, son, and black lab Luna.