On mySimon: Sonic Scrubber Household Cleaning Tool
BNET Business Network:
BNET
TechRepublic
ZDNet

October 29th, 2008

Code execution flaws haunt OpenOffice

Posted by Ryan Naraine @ 10:19 am

Categories: Arbitrary Code Execution, Botnets, Browsers, Data theft, Denial of Service (DoS), Malware, Open source, Passwords, Patch Watch, Responsible disclosure, Spam and Phishing, Spyware and Adware, Vulnerability research

Tags: Flaw, OpenOffice.org, OpenOffice 3.0, OpenOffice, Open Source, Security, Office Suites, Software, Ryan Naraine

OpenOffice security vulnerabilitiesOpenOffice.org has shipped a new version of the open-source desktop productivity suite to patch a pair of highly-critical vulnerabilities that could expose users to arbitrary code execution attacks.

The flaws, which affect all versions prior to OpenOffice.org 2.4.2, could be exploited via manipulated WMF and EMF files in StarOffice or StarSuite documents.

The skinny:

  • CVE-2008-2237: A security vulnerability with the way OpenOffice 2.x process WMF files may allow a remote unprivileged user who provides a StarOffice/StarSuite document that is opened by a local user to execute arbitrary commands on the system with the privileges of the user running StarOffice/StarSuite. No working exploit is known right now.  There is no workaround.
  • CVE-2008-2238: A security vulnerability with the way OpenOffice 2.x process EMF files may allow a remote unprivileged user who provides a StarOffice/StarSuite document that is opened by a local user to execute arbitrary commands on the system with the privileges of the user running StarOffice/StarSuite. No working exploit is known right now. There is no workaround.

OpenOffice.org described the bugs as file-handling heap overflows.   Patches are available in OpenOffice 2.4.2.

OpenOffice 3.0 is not affected by these vulnerabilities.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 74 Talkback(s)
Disagree
Loverock I do agree that security issues with a program is a big issue. But
the alternatives aren't much better at dealing with these issues either.
There will always be flaws in software ope... (Read the rest)
Posted by: mathcreative Posted on: 02/27/09 You are currently: a Guest | | Terms of Use
Code execution flaws haunt OpenOffice  Loverock Davidson | 10/29/08
You should at least RTFA  mikefarinha | 10/29/08
Still leaves the issue of vulnerability  Loverock Davidson | 10/29/08
Loverock.... you're hopeless  mikefarinha | 10/29/08
I know you are but what am I?  Loverock Davidson | 10/29/08
Right over your head!  mikefarinha | 10/29/08
Very unlikely  Loverock Davidson | 10/29/08
Hmmm... Loverock Davidson, you've got my mind churning...  mikefarinha | 10/29/08
Hopeless...  ShadowGIATL | 10/29/08
Yeah, it's not like...  jasonp@... | 10/30/08
Please don't use OOo  Timpraetor | 10/30/08
Doesn't Loverock make you wish that...  djchandler | 10/30/08
Logically flawed argument  notsofast | 10/30/08
So I guess...  robsku | 11/03/08
ha ha - don't hold your breath....  deaf_e_kate | 10/29/08
Just like everyone should upgrade to Vista for its increased...  ye | 10/29/08
And no reason not to  waltmaine | 10/30/08
Code execution flaws haunt Microsoft Excel  rpmyers1 | 10/29/08
Nothing  Loverock Davidson | 10/29/08
So you're a hypocrite then?  rpmyers1 | 10/29/08
Easy answer...  Linux User 147560 | 10/29/08
Nope  Loverock Davidson | 10/29/08
Amazing...  eMJayy | 10/29/08
Thats hilarious  thelivo | 10/29/08
Yep, you hit the nail squarely on the head.  jasonp@... | 10/30/08
Disagree  mathcreative | 02/27/09
RE: Code execution flaws haunt OpenOffice  tburzio | 10/29/08
How could Open Office have flaws??!!  LBiege | 10/29/08
It' worth every penny you pay for it?  dragon@... | 10/29/08
You hit that one on the head. (nt)  No_Ax_to_Grind | 10/29/08
I have to hand it to OSS developers. Many do an excellent job...  ye | 10/29/08
FOSS developers pay  NetArch. | 10/29/08
Kinda new to the business, aren't you  IT_User | 10/29/08
It was meant sarcastically. (nt)  ye | 10/29/08
Sarcasm noted  IT_User | 10/29/08
I assume it was to poke fun at the "many eyes" argument brought forth by...  ye | 10/29/08
No argument  IT_User | 10/29/08
Kinda like Mike Cox and his rants...  Wolfie2K3 | 10/30/08
All part of the sarcasm. nt  ye | 10/30/08
Well, "the many eyes"...  robsku | 11/03/08
How could software have flaws?  ShadowGIATL | 10/29/08
Compared to how many MS Office flaws? (nt)  bjbrock | 10/29/08
The flaw of averages...  ShadowGIATL | 10/29/08
Agree with you on this. Everything man creates has flaws..  transposeIT | 10/29/08
Balance  ShadowGIATL | 10/30/08
Anything programmed by humans has flaws  eiverson@... | 10/30/08
One wouldn't get that impression wrt Microsoft.  ye | 10/30/08
RE: Code execution flaws haunt OpenOffice  mrdt | 10/29/08
This is the goal of open source software  jackbond | 10/29/08
This is only a problem in Windows  Chad_z | 10/29/08
Technically...  ShadowGIATL | 10/29/08
Nice try  eMJayy | 10/29/08
Not so nice a try...  Cayble | 10/29/08
Like XP Retail, right?  NetArch. | 10/29/08
You speak too much in generalities  eMJayy | 10/29/08
LOL. When MS bundles software, its illegal. When they don't...  transposeIT | 10/29/08
How can...  joe.smetona@... | 10/30/08
Very well written.  joe.smetona@... | 10/30/08
I always love that one.  3D0G | 10/30/08
Re: 3Dog  joe.smetona@... | 10/30/08
Interesting.  ShadowGIATL | 10/30/08
Excellent post (nt)  djchandler | 10/30/08
That is the point  ShadowGIATL | 10/29/08
Give it a rest  Real World | 10/30/08
Deja Vu All Over Again...?  Wolfie2K3 | 10/30/08
RE: Code execution flaws haunt OpenOffice  Timpraetor | 10/30/08
RE: Junior Journalism "Code execution flaws haunt OpenOffice"  padapa | 10/30/08
I take it...  djchandler | 10/30/08
RE: Code execution flaws haunt OpenOffice  thebigkc | 10/30/08
RE: Code execution flaws haunt OpenOffice  thebigkc | 10/30/08
RE: Code execution flaws haunt OpenOffice  waltmaine | 10/30/08
Easy solution  djchandler | 10/30/08
RE: How do you patch OpenOffice?  RandyM55 | 10/31/08
List of perfect software:  lambda1 | 10/31/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

  • Smart Tech Expert advice on innovations in healthcare and the green technologies that make it happen. Find out more
  • Smart Business Discussion and advice on management issues that revolve around making your world smarter and more useful. More Smart Advice
  • Smart People The best and worst moves in the management and strategy trenches. Learn More