Security Experts:

Hackers Can Exploit LibreOffice Flaw With RTF Files

The developers of the open source office suite LibreOffice informed users this week that they have patched a vulnerability which could allow attackers to execute arbitrary code using specially crafted RTF files.

The vulnerability, found by Cisco Talos researchers and tracked as CVE-2016-4324, affects the RTF parser in LibreOffice. The flaw can be exploited with an RTF document that contains both a stylesheet and a superscript token.

“A specially crafted RTF document containing both a stylesheet and superscript element causes LibreOffice to access an invalid pointer referencing previously used memory on the heap. By carefully manipulating the contents of the heap, this vulnerability can be able to be used to execute arbitrary code,” Cisco said.

The attacker needs to somehow trick the targeted individual into opening a malicious RTF file in order to trigger the exploit. It’s not uncommon for cybercriminals to exploit RTF parser vulnerabilities in Microsoft Office to deliver malware and this flaw shows that such attacks are also possible against LibreOffice users.

The issue has been addressed with the release of LibreOffice 5.1.4. Cisco says there is no evidence that this vulnerability has been exploited in the wild, but users are advised to update their installations to protect themselves against potential attacks.

The developers of various Linux distributions are also analyzing the issue and some have already released package updates to patch the flaw.

This is the third vulnerability confirmed by LibreOffice developers this year. In February, The Document Foundation informed users that researchers from VeriSign’s iDefense Labs had identified a couple of memory corruption bugs that could have been exploited to cause a denial-of-service (DoS) condition using specially crafted Lotus Word Pro files.

Cisco Talos researchers recently identified flaws in many popular products, including the chat client PidginTrane thermostats, and the Lhasa, Libarchive and 7-Zip archivers.

Related Reading: Cisco Finds Backdoor Installed on 12 Million PCs

Related Reading: 3.2 Million Devices Exposed to Ransomware Attacks

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.