Patch New Remote Code Exceution Vulnerability in OpenOffice and LibreOffice

There are two leading Microsoft Office alternatives – Apache OpenOffice and LibreOffice. Security researcher Alex Inführ has found that both of them have a vulnerability related to the execution of Python scripts. A maliciously designed Open Document Text (ODT) file can result in remote code execution of Python scripts from any location. Since both of these office suites come with their own copy of Python interpreter, it is not needed that you have Python installed on your system.

In his blog post, Alex Inführ describes how he could simply modify the file path of a Python script in an ODT file and it was executed. Later he found out that the script can also be modified to execute any local file, such as calc.exe (Calculator app) in Windows. The vulnerability affects both LibreOffice and OpenOffice on both Windows and Linux. LibreOffice versions below 6.1.4 are affected (LibreOffice 6.1.4 is fully patched against this vulnerbility). OpenOffice is still not patched and latest version 4.1.6 is still affected with this vulnerability.

As far as LibreOffice is concerned, you can just download and install the latest version on your system to fix the vulnerability. But for OpenOffice, you have to remove the file from the installation folder of OpenOffice. For most of the Windows users, this folder is C:\Program Files (x86)\OpenOffice 4\program or C:\Program Files\OpenOffice 4\program. You just have to open this folder in Windows File Explorer and delete the file named

Fix Remote Code Execution Bug in OpenOffice

When a new version of Apache OpenOffice is made available (hopefully very soon in the future), you can install this new version and it should be table to fix this remote code execution vulnerability. But if you cannot wait for Apache to release the new patched version, then you can simply switch to LibreOffice because both it started out as a fork of OpenOffice supports all of its documents and features.

You can read more about this vulnerability on Alex Inführ’s blog :