LibreOffice: Wrong click can lead to the execution of malicious code

The open source office software suite LibreOffice is affected by a security vulnerability. By tricking victims into opening a maliciously crafted document and clicking on it, attackers can apparently inject them with malicious code that is executed.

In a security announcement, the LibreOffice developers warn that the office software supports the linking of scripts with click events on graphics. "For affected versions of LibreOffice, there are scenarios in which embedded scripts are executed without warning when users click on a document with such on-click handlers", the programmers describe the problem (CVE-2024-3044, CVSS 8.8, risk"high").

LibreOffice: Risk classification of the vulnerability

While the LibreOffice project is careful not to give a concrete classification of the threat level, the CERT-Bund of the German Federal Office for Information Security (BSI) has classified the vulnerability as high-risk with a CVSS value of 8.8, just short of "critical" status.

In early versions of LibreOffice, such scripts were classified as trustworthy, but are now considered insecure. The error correction is such that the rights granted by users to execute macros when loading a document are now also used for these on-click handlers.

As a solution to the security problem, the project recommends updating to the bug-fixed LibreOffice versions. LibreOffice 24.2.3 and 7.6.7 are available for download on the project's download page. Linux users should start their software administration and check whether the bug-fixed versions have already been installed.

Read also

Codeschmuggel-Lücke in Ghostscript betrifft LibreOffice und mehr

Around a year ago, the Ghostscript package caused a security vulnerability in various software installations. This included LibreOffice, which comes with Ghostscript. The vulnerability could also be exploited back then by opening manipulated documents.

(dmk)