LibreOffice Can Be Abused for Malware Distribution Just like Microsoft Office
Just like many of the apps from the Microsoft Office collection, open-source office suite LibreOffice can be an attractive target for malware coders if enough vulnerabilities provide them with a way to infect end users.
For the past few years, LibreOffice has made a name for itself as the open-source alternative to Microsoft’s Office suite, with a very large feature set and an ever-growing user following, sometimes even among official government agencies.
At the same time, security researchers from the Cisco Talos team are known to find, disclose, and help fix major security vulnerabilities in some of the biggest and most used open-source projects around.
Previously, the team discovered critical vulnerabilities in 7-Zip, the Libarchive project, and the Graphite font processing library, most of them unknown projects but which have been embedded into some of the world’s largest applications, ranging from Firefox to the Linux OS.
CVE-2016-4324 – Use After Free vulnerability in LibreOffice
These researchers have now taken LibreOffice in their sights. According to their latest advisory, the LibreOffice project has just patched a serious vulnerability that, in theory, makes the application attractive to hackers, who can use it to spread malware in the same way they abuse Microsoft Word.
Everybody has received by now at least one malicious Word document attached to spam email, which, when downloaded and executed, will install malware on their system through one Office exploit or another.
Cisco Talos researchers discovered CVE-2016-4324, which is a Use After Free security vulnerability in the way LibreOffice parses RTF files.
Exploitation is trivial, but a second-stage exploit is needed
Crooks can craft malicious RTF files, which, when the user opens them, will allow them to access a previous location of LibreOffice’s allocated memory, where crooks can store and execute malicious code.
Exploiting this vulnerability is simple, with crooks needing to add both a stylesheet and superscript element inside the RTF file, along with the code they want to execute.
These types of vulnerabilities are called RCE (Remote Code Execution) and are the most sought-after bugs, allowing crooks to literally take over the device by executing code in the application’s context.
A large number of LibreOffice bugs will make the app an attractive target
The Office suite is riddled with these types of bugs, which, even if they require user interaction (opening the file) and second-stage exploits (to elevate privileges), are constantly used by both cyber-espionage groups and your regular day-to-day malware coders.
“Although the [RTF] format standard has not evolved since 2008, the format remains widely supported by word processing suites,” Cisco’s Aleksandar Nikolic writes. “Attackers have previously exploited RTF parser vulnerabilities in MS Office, and used RTF files as a vector for embedding other malicious objects.”
The good news is that Cisco hasn’t detected any malware campaigns abusing this flaw and that the LibreOffice team has quickly patched the issue in its latest versions (22.214.171.124/126.96.36.199 RC1).
Nevertheless, a rising number of vulnerabilities, coupled with LibreOffice’s growing success, will no doubt grab the attention of threat groups looking to broaden their attack vector. Taking into account that RTF files are a common method for delivering malware, it never hurts to add a secondary payload, just in case the file is opened with LibreOffice instead of Office.
Source | SoftPedia