News

Security Flaw Confirmed in OpenOffice

By Ed Oswald | Published April 13, 2005, 12:11 PM

The makers of the OpenOffice.org productivity suite confirmed late Tuesday that a buffer overflow flaw does indeed exist in both the latest stable and beta versions of the software. The issue could potentially make its users vulnerable to code execution attacks.

Community manager, Louis Suarez-Potts, confirmed to eWeek Tuesday that the flaw did indeed exist and said it was caused when the program handles a specially written .doc file. "We learned of this March 31 and will be working on it immediately. A patch is ready but it is still going through [quality assurance] testing," he said.

Security firm Secunia calls the flaw "moderately critical," because while the bug is serious enough to cause compromising of data, it requires the user perform a certain set of actions in order for it to occur.

Suarez-Potts says a fix for the problem will likely be made available by the end of this week.

OpenOffice.org is an open source productivity suite that offers a word processor, spreadsheet, presentation software and a drawing program. The project began with code from the StarOffice suite and is supported by Sun Microsystems.

Comments

View comments by with a score of at least

wincement
Apr 13, 2005 - 3:04 PM

Does this effect all versions of OpenOffice, or just the Windows version (since Windows is the big target for buffer overflow news these days)? I have OpenOffice installed on my XP Pro system and on my Kubuntu box...

Score: 0

|
Post Reply
UniversityofKentucky
Apr 13, 2005 - 7:30 PM

It affects all operating systems. The problem has been fixed and a patch can be obtained at the CVS repository.

Score: 0

|
Post Reply
wincement
Apr 13, 2005 - 7:42 PM

thanks =)

Score: 0

|
Post Reply
bourgeoisdude
Apr 13, 2005 - 12:44 PM edited

Secunia, don't answer right away, take at least 60 seconds and ponder this--would you deem this "Moderately Critical" if it were Microsoft? I mean c'mon, this is a buffer overflow vulnerability, historically almost every one of these are deemed critical even by Microsoft's terms. It's a free country here in the states--if you hate Microsoft just come out and say it rather than using your stupid rating system to play favorites...

Score: 0

|
Post Reply
zridling
Apr 13, 2005 - 3:53 PM

You make a good point that OS apps get a pass on security by users and tech media for some reason, even though millions of people now rely on free software. But this is the second report this week of an old problem cropping up in new software. As long as it's fixed, I'll be happy again.

Score: 0

|
Post Reply
fewt
Apr 13, 2005 - 5:01 PM

It's still flagged critical isn't it?

I'm sorry, I don't see your point.

Score: 0

|
Post Reply
spiffyjeff
Apr 14, 2005 - 3:29 AM edited

huh? so should they state it as severely critical, or should MS be stated more as "moderately critical"

Score: 0

|
Post Reply
bourgeoisdude
Apr 14, 2005 - 11:06 AM

My point was that Secunia plays favorites with security ratings. Noticed that Microsoft has all of the "highly critical" vulnerabilities whilest OpenOffice.org and linux and the rest do not? I took this for more than what it was perhaps, I was angry at the time and strong emotion = weak brainpower :)

Score: 0

|
Post Reply

Google rolls out real-time search, Near Me Now, extended personalization

Over time, searches from PCs and mobile phones will grow even "more personalized." But what about user privacy and search results that give you "the truth"?

Intel's marriage of CPU and GPU not ready for prime time

Although there will be an Intel component this month that can compute and plot in parallel, Betanews was told today, it won't be based on Project "Larrabee."

An alternative to Research in Motion's enterprise e-mail? There's an app for that

Good Technology today released an iPhone app compatible with its enterprise e-mail solution.

Playing catch-up in 2010: Windows Mobile, BlackBerry, and Symbian

Microsoft, RIM, and Nokia are each working on improved mobile operating systems. But could these efforts add up to too little, too late?

Windows fix for TLS security bug still forthcoming, won't be Tuesday

Anyone looking for a fix for last month's discovery of a potentially serious security hole in TLS and SSL may have to wait until everyone is ready to act together.

Not the first, not the last, technology predictions for 2010

Carmi Levy | Wide Angle Zoom: The real truth is probably that what went around in 2009, will come around to haunt us next year.

Google Goggles: Hands on with the Shazam of the Real World

Google today unveiled Goggles, its visual search lab for Android devices that identifies objects by sight.

Microsoft: Windows 7 Family Pack wasn't 'pulled,' it just sold out

If you hurry, you may still be able to find the last Family Pack upgrade editions hanging around retail store shelves, but probably not so much online.

Clever iPhone game returns after being bumped over a name dispute

The game's simple concept and multitude of platforms and puzzles manage to pull off a retro, 8-bit style that's reminiscent of an old Atari game given a modern makeover.

Report: Microsoft to randomize Europe's browser screen choices

The fact that "A" is for "Apple" was apparently at the heart of browser vendor objections to Microsoft's alternative to listing IE first.

Will Nokia's plans further alienate American consumers?

A look at Nokia's plans for the coming years does little to shine up the company's increasingly dull image.