The patch for vulnerability in LibreOffice was ineffective

Cure53 company specialist Alex Inführ warned that the patch for the recently fixed vulnerability in LibreOffice can be bypassed.

Worse, this is not an easy problem: to exploit the bug, the victim only needs to open a malicious document in LibreOffice, which may lead to the execution of the code.

“Bypassed successfully the fix of CVE-2019-9848 in LibreOffice 6.2.5. It’s time to write a new email”, — wrote Alex Inführ.

Earlier this month, developers of LibreOffice published an updated version of their product (6.2.5), where they eliminated two serious vulnerabilities – CVE-2019-9848 and CVE-2019-9849.

Vulnerability, the patch for which Inführ managed to bypass, is a problem CVE-2019-9848, originally discovered by security expert Nils Emmerich, who also published on his blog PoC-exploit. The vulnerability is related to the operation of the LibreLogo component, which established by default with LibreOffice.

Alex Inführ
Alex Inführ

Read also: “Evil Clippy” helps malicious MS Office documents bypass antiviruses

LibreLogo allows user using different pre-installed scripts, associating their work with various events, for example, with mouse hovering. Emmerich warned that using a bug, an attacker could create a malicious document that would secretly execute arbitrary python commands without warning the user about it. Moreover, using forms and OnFocus, you can achieve code execution by simply opening the document, even without pointing the mouse cursor.

However, Alex Inführ does not disclose details on how he managed to bypass the patch for this flaw. The researcher has already notified the LibreOffice developers about the problem and does not plan to disclose the details until a new fix is released. While there is no patch, the researcher advises users to abandon the use of macros, or at least disable LibreLogo.


LibreOffice is one of the most popular open source alternatives to the Microsoft Office package, available for Windows, Linux and macOS.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Check Also

Ragnar Locker and Virtual Machines

Ragnar Locker ransomware uses virtual machines to hide their actions

Sophos specialists found that Ragnar Locker malware operators use Oracle VirtualBox and virtual machines running …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.