OpenOffice.org has released a patch for three security vulnerabilities in its popular open source office suite.
Maliciously crafted Java applets can break out of the sandbox — the security mechanism that runs untrusted code — in OpenOffice.org versions 1.1.x, and 2.0.x, the company said in a bulletin. This could give the malware full access to systems, allowing it to read or send private data, and destroy or replace files.
The second hole enables hackers to inject executable code into OpenOffice documents using a macro, which runs when that document is opened. The user is not asked or notified, and the macro has full access to system resources with current user's privileges, again enabling it to read or send private data, and destroy or replace files.
A buffer overflow vulnerability has also been discovered, by Wade Alcorn of NGSSoftware. The buffer overflow can cause a memory overload and program crash which enables a hacker to attack the affected system.
Users can protect themselves from the first vulnerability by disabling support for Java applets within OpenOffice. There are no workarounds for the macro and buffer overflow vulnerabilities.
Although OpenOffice claims there are currently no known exploits for the vulnerabilities, it has urged all users of 2.0.x prior to 2.0.2 to upgrade to OpenOffice.org 2.0.3.
Patches for users of OpenOffice.org 1.1.5 are not available at the moment, but will be "shortly", according to OpenOffice.
The vulnerabilities also affect StarOffice 6.x, 7.x, and 8.x. and StarSuite 7.x and 8.x, according to security firm Secunia. StarOffice and StarSuite are Sun's commercial office software offerings, based on the same code as the OpenOffice suite. Patches are available for StarOffice and StarSuite versions 7.x and 8.x.
OpenOffice.org admitted on Tuesday that its suite could become more of a target for hackers as it grows in popularity, but claimed that its structure enabled it to react faster to threats than proprietary software vendors such as Microsoft.
"I believe any software, as it becomes more popular, could be more of a target for hackers," Cristian Driga, OpenOffice.org marketing project co-lead, told ZDNet UK.
"But it depends how quickly organisations react. With the open community, we have so many users who report any problem discovered, and our developers react very quickly. We have a faster patch time than Microsoft. OpenOffice also has a lot of different, active language communities, always ready to react."
Driga denied that the disclosure of the vulnerabilities would damage OpenOffice's reputation.
"We have a security team that takes care of vulnerabilities 24 hours a day, and the open source community too. Our speed of response would prevent a decrease in popularity," Driga said.
Talkback
I find the main summary of this story rather odd. "The open source organisation denies it will suffer any loss of reputation after patching several vulnerabilities." - it has released an updated version of the software and done so for free. Surely an organisation that can respond so quickly to such potential vulnerabilities is to be praised, not scalded.
Kenny, Kenny, Kenny, you just don't understand do you. Open Source software is of course badly designed and shot full of holes. So any flaws that are found just add to the final opinion that we should do what we have long been advised to do and drop it all for the smelly fish it truly is. Microsoft software, on the other hand is perfect. Anyone who says thay have discovered a flaw in these stacks of golden code is simply trying to mar the reputation of this paragon of virtue. On the off chance that the perfect design is not appreciated by an ignorant element of the consuming public, the fact that M$ choose to coddle them with a patch, should make us all truly grateful and impressed.
"OpenOffice patches three security holes"
I assume this is only on the windows version, since it can gain access to the entire system. Linux isn't
"integrated" like M$ is, so is not as vulnerable or as buggy as M$ . Plus, you won't have to wait a month for a patch.