14 DAY TRIAL // A zero-day vulnerability that was recently discovered in LibreOffice and OpenOffice is finally fixed in both Office productivity suites after a micropatch for the latter was published by 0patch.
The bug in LibreOffice was fixed earlier this month with a security update released by The Document Foundation.
Today’s micropatch is available free of charge but is only offered to Windows devices. Linux systems running OpenOffice remain vulnerable to exploits until an official patch is published.
Vulnerability already fixed in LibreOffice, no sign of OpenOffice patch
The Remote Code Execution (RCE) flaw was discovered by researcher Alex Inführ who noted that attackers can simply rely on a malicious document that includes a Python to take advantage of mouse-hover actions for macros.
This way, attackers can technically run code on target systems without users doing nothing more than moving the mouse cursor within a document, all without the triggered actions being noticeable.
“Openoffice does not allow to pass parameters therefore my PoC does not work but the path traversal can be abused to execute a python script from another location on the local file system,” the researcher noted in his vulnerability disclosure.
The micropatch published by 0patch can only be installed for OpenOffice for Windows version 4.1.6. 0patch also rolled out two different micropatches for 32-bit and 64-bit versions of LibreOffice 6.1.2.1.
To deploy the micropatch and resolve the vulnerability in OpenOffice, you first need to install the 0patch Agent from 0patch.com. It’s available free of charge and it doesn’t require a system reboot.
In the meantime, it’s not yet known when an official patch for the OpenOffice bug would be released, but should you decide not to rely on this micropatch to block potential exploits, just make sure you do not open documents coming from sources you don’t trust.