Security Flaw Confirmed in OpenOffice

By Ed Oswald | Published April 13, 2005, 12:11 PM

The makers of the OpenOffice.org productivity suite confirmed late Tuesday that a buffer overflow flaw does indeed exist in both the latest stable and beta versions of the software. The issue could potentially make its users vulnerable to code execution attacks.

Community manager, Louis Suarez-Potts, confirmed to eWeek Tuesday that the flaw did indeed exist and said it was caused when the program handles a specially written .doc file. "We learned of this March 31 and will be working on it immediately. A patch is ready but it is still going through [quality assurance] testing," he said.

Security firm Secunia calls the flaw "moderately critical," because while the bug is serious enough to cause compromising of data, it requires the user perform a certain set of actions in order for it to occur.

Suarez-Potts says a fix for the problem will likely be made available by the end of this week.

OpenOffice.org is an open source productivity suite that offers a word processor, spreadsheet, presentation software and a drawing program. The project began with code from the StarOffice suite and is supported by Sun Microsystems.

Comments

Does this effect all versions of OpenOffice, or just the Windows version (since Windows is the big target for buffer overflow news these days)? I have OpenOffice installed on my XP Pro system and on my Kubuntu box...

Score: 0

|

It affects all operating systems. The problem has been fixed and a patch can be obtained at the CVS repository.

Score: 0

|

thanks =)

Score: 0

|

Secunia, don't answer right away, take at least 60 seconds and ponder this--would you deem this "Moderately Critical" if it were Microsoft? I mean c'mon, this is a buffer overflow vulnerability, historically almost every one of these are deemed critical even by Microsoft's terms. It's a free country here in the states--if you hate Microsoft just come out and say it rather than using your stupid rating system to play favorites...

Score: 0

|

You make a good point that OS apps get a pass on security by users and tech media for some reason, even though millions of people now rely on free software. But this is the second report this week of an old problem cropping up in new software. As long as it's fixed, I'll be happy again.

Score: 0

|

It's still flagged critical isn't it?

I'm sorry, I don't see your point.

Score: 0

|

huh? so should they state it as severely critical, or should MS be stated more as "moderately critical"

Score: 0

|

My point was that Secunia plays favorites with security ratings. Noticed that Microsoft has all of the "highly critical" vulnerabilities whilest OpenOffice.org and linux and the rest do not? I took this for more than what it was perhaps, I was angry at the time and strong emotion = weak brainpower :)

Score: 0

|

Silverlight 3 goes live on Microsoft's servers

Microsoft's answer to Adobe's Flash is (unofficially) here, with prospects of higher-speed, higher-resolution video and for the first time, 3D.

Three Android phones on the way from T-Mobile in 2009

T-Mobile's myTouch 3G, launched Wednesday, will be followed by two more Android phones later this year, but neither of them will be HTC's Hero.

Best Buy-brand TVs to get TiVo

A new alliance will place the retailer's own brand alongide the manufacturers, and could also lead to future partnerships on services.

LTE still lacks a voice

The 4G Wireless standard that Verizon hopes to show off before this year is out is still at a loss for (spoken) words.

Data sharing among online advertisers: Is sanity in sight?

Lockdown with Angela Gunn In the middle of a 15-page plea not to get regulated, a spark of smart thinking.

T-Mobile's strategy to combat Apple's iPhone with Android

With a trio of Android phones now in the pipeline for 2009, T-Mobile hopes to break the iPhone's emerging stranglehold.

EC's Reding: Government should act as broker for media downloads

If Internet media services don't step up and build an attractive way for users to start paying for downloads, a commissioner says, government may do the job instead.

Sony TVs get Netflix, still no PS3

Though it's coming in behind LG, Samsung, and Microsoft, Sony will begin to offer Netflix streaming, too.

Google Chrome OS: Too little, too early

Carmi Levy: Wide Angle Zoom Don't start the revolution just yet, says Carmi, who isn't so certain Chrome OS will be the "Windows Killer."

GAO pen test brings the hammer down on federal rent-a-cops

But are the computers to blame for the contract-guard fiasco at FPS?

What's Next: Chrome OS will have at least some friends in high places

Also: South Korea takes another round of DDoS abuse, and Neelie Kroes and Steve Ballmer may shake hands before she exits stage left.

Report: Evidence of further creativity with Windows 7 upgrade prices

A ZDNet blogger did some serious digging for clues as to a reported price break on multiple Windows 7 Home Premium licenses, and may have found it.