If you are using LibreOffice, you need to update it once again.
LibreOffice has released the latest version 6.2.6/6.3.0 of its open-source office software to address three new vulnerabilities that could allow attackers to bypass patches for two previously addressed vulnerabilities.
LibreOffice is one of the most popular and open source alternatives to Microsoft Office suite and is available for Windows, Linux and macOS systems.
One of the two vulnerabilities, tracked as CVE-2019-9848, that LibreOffice attempted to patch just last month was a code execution flaw that affected LibreLogo, a programmable turtle vector graphics script that ships by default with LibreOffice.
This flaw allows an attacker to craft a malicious document that can silently execute arbitrary python commands without displaying any warning to a targeted user.
Apparently, the patch for this vulnerability was insufficient, as The Hacker News also reported late last month, which allowed two separate security researchers to bypass the patch and re-enable the attack by exploiting two new vulnerabilities, as explained below:
CVE-2019-9850: Discovered by Alex Inführ, the vulnerability in LibreOffice exists due to insufficient URL validation that allows malicious attackers to bypass the protection added to patch CVE-2019-9848 and again trigger calling LibreLogo from script event handlers.CVE-2019-9851: Discovered by Gabriel Masei, this flaw resides in a separate feature where documents can specify pre-installed scripts, just like LibreLogo, which can be executed on various global script e ..
Support the originator by clicking the read the rest link below.
