Security experts have discovered vulnerabilities in OpenOffice.org that could allow attackers to remotely execute code on Linux, Windows or Apple Mac-based computers.
OpenOffice version 2.0.4 and earlier versions are vulnerable to maliciously crafted TIFF files, which can be delivered in an e-mail attachment, published on a Web site or shared using peer-to-peer software. The next version of OpenOffice (version 2.3) arrived on September 17 and is not affected by the flaw.
The vulnerability was discovered by researchers at iDefense, who claim that the OpenOffice TIFF parsing code is flawed.
"When parsing the TIFF directory entries for certain tags, the parser uses untrusted values from the file to calculate the amount of memory to allocate. By providing specially crafted values, an integer overflow occurs in this calculation. This results in the allocation of a buffer of insufficient size, which in turn leads to a heap overflow," the iDefense team reported last Friday.
TrustDefender co-founder Andreas Baumhof said: "This vulnerability allows someone to execute malicious code on your computer. It's an OpenOffice bug so it doesn't matter what type of operating system you run; it allows you to run malicious software with the same rights as the user who runs OpenOffice."
"At this stage, it's only confirmed on Linux," Baumhof said. "But typically it would affect all operating systems. The only difference with Linux and Windows is that home users typically run Windows as the administrator."
In June, OpenOffice users were warned about a worm called "Badbunny" that was spreading in the wild through multiple operating systems, including Mac OS, Windows and Linux.
At the time, Symantec posted an advisory that said: "A new worm is being distributed within malicious OpenOffice documents. The worm can infect Windows, Linux and Mac OS X systems. Be cautious when handling OpenOffice files from unknown sources".
You bring up a good point, you get what you pay for...then I would expect MS to actually provide a secure Office Suite for 400 dollars. You try to poke that people are going to be open to viruses using Open Office? The latest version affected is 3 versions old...the new ones not affected. How many people got affected by viruses using holes in Outlook, and Excel Macros...those were "Genuine Microsoft Office Products".
Go back to your cubicle...your MS supervisor is waiting for your troll report
I'd use OpenOffice.org over MS Office any day. This is one vulnerability, but how many does MS Office have? This sort of vulnerability has been in MS Office for a long time and its still there because when Windows Update patches one hole it opens another. You are a Microsoft Fan Boy.
When you run any app in the Open Office suit it will notify you if a new version is available. There will be a green button in the right hand corner you can click to get the latest version. As others have pointed out 2.0.4 is ancient, the current version is 2.3.0 which isn't affected by this flaw. Yet another demonstration that updating your software is good practice. I can assure you there are plenty more than a half dozen people using it.
This is certainly a problem, but perhaps not a huge one. As the article notes, 2.3 is the current version, and it is not susceptible to bugs. Nor are versions 2.2 (released in March) or 2.1 (released last December), apparently. The majority of Linux users will have been updated by now to at least 2.2...
but it doesn't always play out that way. I do a *lot* of development for SSH and it always surprises me how many people are still running 3.8 which is several years old at this point. Generally people upgrade when they dsicover that the new version adds a compelling feature. Otherwise many people are happy leaving well enough alone.
You know, women have been raped since almost the beginning of time, yet that still makes the news. Seriously, don't we have anything new to talk about. Everytime I look, its the same old thing. Murder, death, war, famine, malicious attacks through vectors in software that many erroneously believe impervious to attack because it was written by a community of programmers who release their source code into the wild. Yeah. . there's nothing new under the sun. . . nothing new.
I thought Open Source was always Secure? Odd that both the office software, and the underlying "secure" OS (Linux) were able to fall victim to a buffer overrun...
Every non-trivial program has flaws.Nothing odd about it.
Compare this to Office, a bug from a year old version is news with OpenOffice, for Office to make news it would have to 60 minutes without being exploited.
There is a world of difference between 1 unexploited flaw and the countless exploits in Office.
No, that's a fallacy. Open Source is way way less secure.
Unfortunately that seems to be a common perception. However the statistics have for years now shown that Microsoft products have far fewer vulnerabilties, fewer serious vulnerabilities and are on average patched in half the time of Open Source software.
See <a class="jive-link-external" href="http://blogs.technet.com/security/archive/2007/08/16/july-2007-operating-system-vulnerability-scorecard.aspx" target="_newWindow">http://blogs.technet.com/security/archive/2007/08/16/july-2007-operating-system-vulnerability-scorecard.aspx</a>
Hence the ongoing market share losses by 'free' Apache to Microsoft Server as people are fed up with their insecure Linux boxes being constantly exploited, hacked and defaced and the nightmare of trying to keep an open source LAMP stack updated and patched. Apache is about to fall below 50% market share for the first time since 1998!
See <a class="jive-link-external" href="http://news.netcraft.com/archives/web_server_survey.html" target="_newWindow">http://news.netcraft.com/archives/web_server_survey.html</a>
Difference #1: This flaw was found in an old version of Openoffice.org, not the current version.
Difference #2: It was found by the researchers being able to read the source code, because it's open-source.
Difference #3: On Windows, the most likely scenario is that the exploit would get administrator privileges. On Linux, the exploit would get limited user privileges at best (since Linux users do not run OOo as administrator).
Difference #4: If the Linux user is using Fedora/Red Hat-based distributions, SUSE, or the in-development Ubuntu (I've named the biggest distributions here), there is greatly-reduced chance of any harm happening. This is because these distributions are equipped with SELinux or AppArmour, which are kernel-level systems that define what a program can do. If OOo gets convinced to do things that it shouldn't normally, those two security systems will either prevent it or raise an alarm to the user.
Difference #5: Fedora and Red-Hat based distributions randomise the memory addresses of programs, making a successful buffer overflow exploit much less likely still.
Why was the flaw demonstrated on Linux first? Because you can customise Linux to turn off the security features if you wish. It's dumb to do so, but it's possible. Also note that the flaw works regardless of operating system - Windows Vista and Mac OS X are not invulnerable to it.
Finally, open-source is not "Secure". It is merely MORE secure than proprietary systems.
Windows update can patch Office in the background before you next use it.
If someone sends you an exploit for an Open Office vulnerabilty, and you launch it as an attachment, The file is loaded into Open Office and you get exploited before the software has a chance to update!
The story should have contained a warning for those using outdated versions of OpenOffice.org to update to the current patched version...As is...the story is just a warning for a problem...without mentioning the solution that is readily available.
Read Commander_Spock's and another comment that followed and this brings us to the reading which states: "He who thinks that he knows; and, knows not that he knows nothing is a fool"!
What does this tell one about the capabilities/requirements of an Office (Productivity Suite? Got to have the same one that the Russians are using - period!
I interrupt the flame wars for this brief announcement:
I see we have a few MS fan boys, and many OpenOffice.org (OO.o) fan boys.
The only truly secure computer system is the one that is never plugged in and turned on.
Regardless of which office package you use, if you don't keep it updated, you have vulnerabilities. Neither update system (MS or OO.o) is perfect, and I'm sure many people turn off the updates or just flat out ignore them.
In my opinion - as a heavy user of BOTH office suites - OO.o has all the functionality to satisfy 99% of home users and 75% of office workers. Excel has a slight edge over OO.o when it comes to serious formulas and number crunching.
Add the functionality to the fact that it's free and you have a serious competitor in the office suite market.
BTW - OO.o does get patched much quicker than MS can patch MSO. Just deal with it.
I now return you to your regularly scheduled flame wars. Battle on!
Patches are being applied regular to MS Windows GNU/Linux and to Mac OS's and their associated applications.
So what is the fuss about.17yo daughters computer has far more patches on her Win XP OS install than on her Mandriva GNU/Linux OS.
The security of open source is around 2 separate issue's; 1)We do not log in as administrator so any malware we do pick up cannot do anything serious, 2)The GNU/Linux developer base is huge and any flaws are noticed early on,before they are taken advantage off.
Put it this way; I have been involved in repairing 2 Win XP and 1 Win Vista machines in the last week from malware.As regards this Ubuntu GNU/Linux machine and other computers amongst friends and family NO infections crashes or the like or anything near it.Just relaxed easy going and safe open source computing.
Lesson for the day: If you can't take it, don't dish it.
I wish the Open Source and Apple fanboys would grow up someday and learn to take their lumps like the rest of us.
First it's "Non-Microsoft Product X" NEVER has problems like "Microsoft's Competing Product". Then "Non-Microsoft Product X" has a problem and then the backstroke begins...
"Non-Microsoft Product X" has a lot FEWER problems than "Microsoft's Competing Product" and aside from that "Microsoft's Competing Product" sucks.
One reader commented on how there were a lot more Open Source fanboys commenting here than Microsoft fanboys. I think that speaks volumes. Users of Microsoft software (a.k.a. fanboys) don't feel the need to bash other non-Microsoft software like Open Source fanboys do. I think it has something to do with a thing called "reality" that seems to escape the fanatics.
Now go enjoy your copy of Halo 3 on your Microsoft Xbox 360!!! I, being the consummate Microsoft fanboy that, will now retire from the computer this evening to go play on my Nintendo Wii since I've never bought an Xbox.
Yes,MS bugs are affecting only Windows since there is no MSO for others;)
There is no MS Office for Linux so MS bugs can't affect anything but Windows.Actually MS is in loss - windows users do have bugs in MSO and in OO, Linux ones in OO only.Slightly fewer, he-he-he :)
Haha, Linux normally takes care on updating ALL programs :))))))
Linux systems do have a way better installers and updaters.
First, you can install a dozen of programs in few mouse clicks from software catalogs called repositories.Just few mouse clicks and all chosen programs are here.Usually programs are free so you really getting new software at blazing speed.
Second thing... Linux systems do have updaters capable of updating ALL programs.Not just a "genuine MS crap".So you do not have to stick to something and pay-pay-pay-pay-pay-pay-pay.... forever.Free system means more freedom, more choice, more flexibility, less headache, less restrictions and well, there is no moron fascist EULAs from MS.So you can grab one copy of OO and install on all machines.For free, and absolutely legal.MS will call your pirate then.
And well, MS activation is sort of crap which can once sabotage system operation without good reasons resulting in major losses.Nobody will cover 'em though.Read license carefully, Luke.Then think twice: ARE YOU REALLY AGREE with all this crap in MS EULA???
Google creates an animated doodle that features a boy, a girl, Google's search engine, and a jump rope. But might there be darker, more analytical, more troubling interpretations to this tale?
The Silicon Valley online payments startup grew by 1,000 percent last year and is hopeful it can repeat that level of growth this year. To do that, it's had to move away from its early friends-and-family roots and embrace small businesses.
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
The half dozen users that actually installed this are probably going to be vulnerable to viruses for ever more...
Oh well, you get what you pay for.
It is already patched in the new version. M$ has had office flaws that remain unpatched for years....
Go back to your cubicle...your MS supervisor is waiting for your troll report
for SSH and it always surprises me how many people are still
running 3.8 which is several years old at this point. Generally
people upgrade when they dsicover that the new version adds a
compelling feature. Otherwise many people are happy leaving well
enough alone.
I don't think any reply is necessary for someone THAT religious about their software!
"Growing Up" They Say!
Geez have you ever heard of half.com or buy.com or even ********** ....
Growing up indeed!
Just look at their website on October 9 (patch Tuesday) and there'll be a discussion of MS problems.
However in my years of using OpenOffice, it still hasn't ceased to suck ass.
Go figure...
Power Point crashing while you saving your file = lots of fun. -sarcasm
The next version of OpenOffice (version 2.3) arrived on September 17 and is not affected by the flaw.
KieranMullen
<a class="jive-link-external" href="http://360oregon.com" target="_newWindow">http://360oregon.com</a>
But I have a question.
How do average users go about applying updates to OO?
Are there ever patches?
How do you find out?
How do you get them?
Do you just have to wait for the next version to fix a bug?
I am sure it is damn near bug free so maybe my questions are moot, but please answer just for fun.
Thanks
Tom
talk to the systems admin,
I'm sure they can download it for you.
Most are vulnerable to hacking, few are vulnerable to viruses, and they are usually patched very quickly.
Every non-trivial program has flaws.Nothing odd about it.
Compare this to Office, a bug from a year old version is news with OpenOffice, for Office to make news it would have to 60 minutes without being exploited.
There is a world of difference between 1 unexploited flaw and the countless exploits in Office.
See <a class="jive-link-external" href="http://blogs.technet.com/security/archive/2007/08/16/july-2007-operating-system-vulnerability-scorecard.aspx" target="_newWindow">http://blogs.technet.com/security/archive/2007/08/16/july-2007-operating-system-vulnerability-scorecard.aspx</a>
Hence the ongoing market share losses by 'free' Apache to Microsoft Server as people are fed up with their insecure Linux boxes being constantly exploited, hacked and defaced and the nightmare of trying to keep an open source LAMP stack updated and patched. Apache is about to fall below 50% market share for the first time since 1998!
See <a class="jive-link-external" href="http://news.netcraft.com/archives/web_server_survey.html" target="_newWindow">http://news.netcraft.com/archives/web_server_survey.html</a>
If you've been updating and auto-updating from OpenOffice.org 2.3, this wouldn't even concern you.
Difference #2: It was found by the researchers being able to read the source code, because it's open-source.
Difference #3: On Windows, the most likely scenario is that the exploit would get administrator privileges. On Linux, the exploit would get limited user privileges at best (since Linux users do not run OOo as administrator).
Difference #4: If the Linux user is using Fedora/Red Hat-based distributions, SUSE, or the in-development Ubuntu (I've named the biggest distributions here), there is greatly-reduced chance of any harm happening. This is because these distributions are equipped with SELinux or AppArmour, which are kernel-level systems that define what a program can do. If OOo gets convinced to do things that it shouldn't normally, those two security systems will either prevent it or raise an alarm to the user.
Difference #5: Fedora and Red-Hat based distributions randomise the memory addresses of programs, making a successful buffer overflow exploit much less likely still.
Why was the flaw demonstrated on Linux first? Because you can customise Linux to turn off the security features if you wish. It's dumb to do so, but it's possible. Also note that the flaw works regardless of operating system - Windows Vista and Mac OS X are not invulnerable to it.
Finally, open-source is not "Secure". It is merely MORE secure than proprietary systems.
If someone sends you an exploit for an Open Office vulnerabilty, and you launch it as an attachment, The file is loaded into Open Office and you get exploited before the software has a chance to update!
"Russia unveils new passenger jet"
<a class="jive-link-external" href="http://www.news.com/Russia-unveils-new-passenger-jet/2100-11397_3-6210057.html" target="_newWindow">http://www.news.com/Russia-unveils-new-passenger-jet/2100-11397_3-6210057.html</a>
Read Commander_Spock's and another comment that followed and this brings us to the reading which states: "He who thinks that he knows; and, knows not that he knows nothing is a fool"!
... "look's like the best dang business plan 'EVER'!"
<a class="jive-link-external" href="http://www.news.com/5208-11397_3-0.html?forumID=1&threadID=31454&messageID=313846&start=0" target="_newWindow">http://www.news.com/5208-11397_3-0.html?forumID=1&threadID=31454&messageID=313846&start=0</a>
What does this tell one about the capabilities/requirements of an Office (Productivity Suite? Got to have the same one that the Russians are using - period!
I see we have a few MS fan boys, and many OpenOffice.org (OO.o) fan boys.
The only truly secure computer system is the one that is never plugged in and turned on.
Regardless of which office package you use, if you don't keep it updated, you have vulnerabilities. Neither update system (MS or OO.o) is perfect, and I'm sure many people turn off the updates or just flat out ignore them.
In my opinion - as a heavy user of BOTH office suites - OO.o has all the functionality to satisfy 99% of home users and 75% of office workers. Excel has a slight edge over OO.o when it comes to serious formulas and number crunching.
Add the functionality to the fact that it's free and you have a serious competitor in the office suite market.
BTW - OO.o does get patched much quicker than MS can patch MSO. Just deal with it.
I now return you to your regularly scheduled flame wars. Battle on!
So what is the fuss about.17yo daughters computer has far more patches on her Win XP OS install than on her Mandriva GNU/Linux OS.
The security of open source is around 2 separate issue's;
1)We do not log in as administrator so any malware we do pick up cannot do anything serious,
2)The GNU/Linux developer base is huge and any flaws are noticed early on,before they are taken advantage off.
Put it this way;
I have been involved in repairing 2 Win XP and 1 Win Vista machines in the last week from malware.As regards this Ubuntu GNU/Linux machine and other computers amongst friends and family NO infections crashes or the like or anything near it.Just relaxed easy going and safe open source computing.
Best Wises Chris.
Best Wishes Chris.
I wish the Open Source and Apple fanboys would grow up someday and learn to take their lumps like the rest of us.
First it's "Non-Microsoft Product X" NEVER has problems like "Microsoft's Competing Product". Then "Non-Microsoft Product X" has a problem and then the backstroke begins...
"Non-Microsoft Product X" has a lot FEWER problems than "Microsoft's Competing Product" and aside from that "Microsoft's Competing Product" sucks.
One reader commented on how there were a lot more Open Source fanboys commenting here than Microsoft fanboys. I think that speaks volumes. Users of Microsoft software (a.k.a. fanboys) don't feel the need to bash other non-Microsoft software like Open Source fanboys do. I think it has something to do with a thing called "reality" that seems to escape the fanatics.
Now go enjoy your copy of Halo 3 on your Microsoft Xbox 360!!! I, being the consummate Microsoft fanboy that, will now retire from the computer this evening to go play on my Nintendo Wii since I've never bought an Xbox.
First, you can install a dozen of programs in few mouse clicks from software catalogs called repositories.Just few mouse clicks and all chosen programs are here.Usually programs are free so you really getting new software at blazing speed.
Second thing... Linux systems do have updaters capable of updating ALL programs.Not just a "genuine MS crap".So you do not have to stick to something and pay-pay-pay-pay-pay-pay-pay.... forever.Free system means more freedom, more choice, more flexibility, less headache, less restrictions and well, there is no moron fascist EULAs from MS.So you can grab one copy of OO and install on all machines.For free, and absolutely legal.MS will call your pirate then.
And well, MS activation is sort of crap which can once sabotage system operation without good reasons resulting in major losses.Nobody will cover 'em though.Read license carefully, Luke.Then think twice: ARE YOU REALLY AGREE with all this crap in MS EULA???