Wednesday, March 3, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Privacy

Patches for 2 Severe LibreOffice Flaws Bypassed — Update to Patch Again

August 17, 2019
in Internet Privacy
Patches for 2 Severe LibreOffice Flaws Bypassed — Update to Patch Again
585
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

If you are using LibreOffice, you need to update it once again.

LibreOffice has released the latest version 6.2.6/6.3.0 of its open-source office software to address three new vulnerabilities that could allow attackers to bypass patches for two previously addressed vulnerabilities.

You might also like

New Chrome 0-day Bug Under Active Attacks – Update Your Browser ASAP!

URGENT — 4 Actively Exploited 0-Day Flaws Found in Microsoft Exchange

Researchers Unearth Links Between SunCrypt and QNAPCrypt Ransomware

LibreOffice is one of the most popular and open source alternatives to Microsoft Office suite and is available for Windows, Linux and macOS systems.

One of the two vulnerabilities, tracked as CVE-2019-9848, that LibreOffice attempted to patch just last month was a code execution flaw that affected LibreLogo, a programmable turtle vector graphics script that ships by default with LibreOffice.

This flaw allows an attacker to craft a malicious document that can silently execute arbitrary python commands without displaying any warning to a targeted user.

Apparently, the patch for this vulnerability was insufficient, as The Hacker News also reported late last month, which allowed two separate security researchers to bypass the patch and re-enable the attack by exploiting two new vulnerabilities, as explained below:

  • CVE-2019-9850: Discovered by Alex Inführ, the vulnerability in LibreOffice exists due to insufficient URL validation that allows malicious attackers to bypass the protection added to patch CVE-2019-9848 and again trigger calling LibreLogo from script event handlers.
  • CVE-2019-9851: Discovered by Gabriel Masei, this flaw resides in a separate feature where documents can specify pre-installed scripts, just like LibreLogo, which can be executed on various global script events such as document-open, etc.

The patch for the second vulnerability (CVE-2018-16858) that LibreOffice released in February has successfully been bypassed, re-enabling the directory traversal attack that could allow malicious documents to execute any script from arbitrary locations on the victim’s file system.

  • CVE-2019-9852: Discovered by Nils Emmerich of ERNW Research GmbH, a URL encoding attack could allow attackers to bypass patch for directory traversal attack.

By successfully exploiting all these three vulnerabilities, a remote attacker can silently execute malicious commands on a targeted computer by convincing the victim into just opening a maliciously-crafted document file.

LibreOffice users are highly recommended to update their office software to the latest patched version 6.2.6/6.3.0 as soon as possible in order to avoid becoming victims to any attack exploiting these vulnerabilities.


Credit: The Hacker News By: noreply@blogger.com (Swati Khandelwal)

Previous Post

Trump's Ominous Warning: Vote for Me or Suffer Stock Market Crash

Next Post

I installed Verizon's free junk call blocker and it seems to kind of help

Related Posts

New Chrome 0-day Bug Under Active Attacks – Update Your Browser ASAP!
Internet Privacy

New Chrome 0-day Bug Under Active Attacks – Update Your Browser ASAP!

March 3, 2021
URGENT — 4 Actively Exploited 0-Day Flaws Found in Microsoft Exchange
Internet Privacy

URGENT — 4 Actively Exploited 0-Day Flaws Found in Microsoft Exchange

March 3, 2021
Researchers Unearth Links Between SunCrypt and QNAPCrypt Ransomware
Internet Privacy

Researchers Unearth Links Between SunCrypt and QNAPCrypt Ransomware

March 3, 2021
New ‘unc0ver’ Tool Can Jailbreak All iPhone Models Running iOS 11.0
Internet Privacy

New ‘unc0ver’ Tool Can Jailbreak All iPhone Models Running iOS 11.0

March 2, 2021
Chinese Hackers Targeted India’s Power Grid Amid Geopolitical Tensions
Internet Privacy

Chinese Hackers Targeted India’s Power Grid Amid Geopolitical Tensions

March 2, 2021
Next Post
I installed Verizon’s free junk call blocker and it seems to kind of help

I installed Verizon's free junk call blocker and it seems to kind of help

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Microsoft account hijack vulnerability earns bug bounty hunter $50,000
Internet Security

Microsoft account hijack vulnerability earns bug bounty hunter $50,000

March 3, 2021
New Chrome 0-day Bug Under Active Attacks – Update Your Browser ASAP!
Internet Privacy

New Chrome 0-day Bug Under Active Attacks – Update Your Browser ASAP!

March 3, 2021
6 Ways Machine Learning Can Improve Supply Chain’s Bottom Line
Machine Learning

6 Ways Machine Learning Can Improve Supply Chain’s Bottom Line

March 3, 2021
Malaysia Airlines suffers data security ‘incident’ spanning nine years
Internet Security

Malaysia Airlines suffers data security ‘incident’ spanning nine years

March 3, 2021
URGENT — 4 Actively Exploited 0-Day Flaws Found in Microsoft Exchange
Internet Privacy

URGENT — 4 Actively Exploited 0-Day Flaws Found in Microsoft Exchange

March 3, 2021
This Protein Therapeutics Company Integrates Wet Lab For High-Speed Characterization With Machine Learning Technologies To Guide The Search For Better Antibodies
Machine Learning

This Protein Therapeutics Company Integrates Wet Lab For High-Speed Characterization With Machine Learning Technologies To Guide The Search For Better Antibodies

March 3, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Microsoft account hijack vulnerability earns bug bounty hunter $50,000 March 3, 2021
  • New Chrome 0-day Bug Under Active Attacks – Update Your Browser ASAP! March 3, 2021
  • 6 Ways Machine Learning Can Improve Supply Chain’s Bottom Line March 3, 2021
  • Malaysia Airlines suffers data security ‘incident’ spanning nine years March 3, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates