Third-Party Patch Released for Code Execution Flaw in OpenOffice
An unofficial patch has been made to be had for a not too long ago disclosed faraway code execution vulnerability affecting the Apache OpenOffice open supply productiveness suite.
The flaw, described as a trail traversal factor and tracked as CVE-2018-16858, was once disclosed in early February through researcher Alex Inführ. The knowledgeable discovered hacker may just execute code on a machine through getting the centered person to open a specifically crafted record that loaded a Python report positioned through the attacker anyplace at the software.
The assault comes to a record containing a specifically crafted hyperlink pointing to a Python script. When the sufferer opens the record and hovers over the hyperlink, the malicious code will get accomplished with none caution message being displayed. In order to keep away from elevating suspicion and make the assault much more likely to be triumphant, a hacker can create a record the place all the web page is stuffed with hyperlinks whose colour has been set to white – this fashion the sufferer handiest sees a clean web page ahead of the exploit is accomplished.
Inführ says the vulnerability affects each LibreOffice and OpenOffice. However, LibreOffice builders launched a patch lower than two weeks after being notified.
OpenOffice builders, alternatively, don’t seem to have issued any fixes and feature now not made any feedback at the vulnerability. SecurityWeek has reached out to them multiple week in the past, however won no reaction.
ACROS Security’s 0patch carrier has launched an unofficial patch for OpenOffice to handle this vulnerability. The micropatch may also be implemented to the newest model of OpenOffice for Windows. Micropatches had been launched for LibreOffice as neatly.
0patch has printed a video appearing an exploit strive with out and with the patch implemented: