OpenOffice bug hits multiple operating systems

Security experts have discovered vulnerabilities in OpenOffice.org that could allow attackers to remotely execute code on Linux, Windows or Apple Mac-based computers.

OpenOffice version 2.0.4 and earlier versions are vulnerable to maliciously crafted TIFF files, which can be delivered in an e-mail attachment, published on a Web site or shared using peer-to-peer software. The next version of OpenOffice (version 2.3) arrived on September 17 and is not affected by the flaw.

The vulnerability was discovered by researchers at iDefense, who claim that the OpenOffice TIFF parsing code is flawed.

"When parsing the TIFF directory entries for certain tags, the parser uses untrusted values from the file to calculate the amount of memory to allocate. By providing specially crafted values, an integer overflow occurs in this calculation. This results in the allocation of a buffer of insufficient size, which in turn leads to a heap overflow," the iDefense team reported last Friday.

TrustDefender co-founder Andreas Baumhof said: "This vulnerability allows someone to execute malicious code on your computer. It's an OpenOffice bug so it doesn't matter what type of operating system you run; it allows you to run malicious software with the same rights as the user who runs OpenOffice."

"At this stage, it's only confirmed on Linux," Baumhof said. "But typically it would affect all operating systems. The only difference with Linux and Windows is that home users typically run Windows as the administrator."

In June, OpenOffice users were warned about a worm called "Badbunny" that was spreading in the wild through multiple operating systems, including Mac OS, Windows and Linux.

At the time, Symantec posted an advisory that said: "A new worm is being distributed within malicious OpenOffice documents. The worm can infect Windows, Linux and Mac OS X systems. Be cautious when handling OpenOffice files from unknown sources".

Liam Tung of ZDNet Australia reported from Sydney.

[richto]

Oh well, no worries, Windows Update will patch it automatically

Oh, wait, no it wont! That only works for guenuine Microsoft Office products.

The half dozen users that actually installed this are probably going to be vulnerable to viruses for ever more...

Oh well, you get what you pay for.

[Harlan879]

2.0.4 is a year old

This is certainly a problem, but perhaps not a huge one. As the article notes, 2.3 is the current version, and it is not susceptible to bugs. Nor are versions 2.2 (released in March) or 2.1 (released last December), apparently. The majority of Linux users will have been updated by now to at least 2.2...

[Commander_Spock]

"OpenOffice.org"!!!

Web Site or Product Name???

"Growing Up" They Say!

[TheZorch]

MS Office did this for years

Why is this news? MS Office has this and many other vulnerabilities and how often do you see it as news on C/NET?

[daftkey]

and yet...

in all my years using these products with all these flaws, I have yet to be attacked..

However in my years of using OpenOffice, it still hasn't ceased to suck ass.

Go figure...

[kieranmullen]

Fixed bug. Old news. Move On

So why are we talking about a fixed but on the 25th? Anyway kudos to openoffice for fixing many bugs all at once. Microsoft drags it legs on that.

The next version of OpenOffice (version 2.3) arrived on September 17 and is not affected by the flaw.

KieranMullen
http://360oregon.com

[tgrenier]

open office update questions

I tried to download OO today but Torrents are not allowed on this network.

But I have a question.
How do average users go about applying updates to OO?

Are there ever patches?

How do you find out?

How do you get them?

Do you just have to wait for the next version to fix a bug?

I am sure it is damn near bug free so maybe my questions are moot, but please answer just for fun.

Thanks

Tom

[techFirst]

I thought Open Souce was always Secure?

I thought Open Source was always Secure? Odd that both the office software, and the underlying "secure" OS (Linux) were able to fall victim to a buffer overrun...

[richto]

NO, that's not the same thing.

Windows update can patch Office in the background before you next use it.

If someone sends you an exploit for an Open Office vulnerabilty, and you launch it as an attachment, The file is loaded into Open Office and you get exploited before the software has a chance to update!

[dburr13]

The story misses the mark

The story should have contained a warning for those using outdated versions of OpenOffice.org to update to the current patched version...As is...the story is just a warning for a problem...without mentioning the solution that is readily available.

[Commander_Spock]

Get real folks; "The Russians Are Coming"!

... in from the "air":

"Russia unveils new passenger jet"

http://www.news.com/Russia-unveils-new-passenger-jet/2100-11397_3-6210057.html

Read Commander_Spock's and another comment that followed and this brings us to the reading which states: "He who thinks that he knows; and, knows not that he knows nothing is a fool"!

[One-Eared Gundark]

Very entertaining to read the comments

I interrupt the flame wars for this brief announcement:

I see we have a few MS fan boys, and many OpenOffice.org (OO.o) fan boys.

The only truly secure computer system is the one that is never plugged in and turned on.

Regardless of which office package you use, if you don't keep it updated, you have vulnerabilities. Neither update system (MS or OO.o) is perfect, and I'm sure many people turn off the updates or just flat out ignore them.

In my opinion - as a heavy user of BOTH office suites - OO.o has all the functionality to satisfy 99% of home users and 75% of office workers. Excel has a slight edge over OO.o when it comes to serious formulas and number crunching.

Add the functionality to the fact that it's free and you have a serious competitor in the office suite market.

BTW - OO.o does get patched much quicker than MS can patch MSO. Just deal with it.

I now return you to your regularly scheduled flame wars. Battle on!

[chrisENJUNSc]

A big deal.

Patches are being applied regular to MS Windows GNU/Linux and to Mac OS's and their associated applications.

So what is the fuss about.17yo daughters computer has far more patches on her Win XP OS install than on her Mandriva GNU/Linux OS.

The security of open source is around 2 separate issue's;
1)We do not log in as administrator so any malware we do pick up cannot do anything serious,
2)The GNU/Linux developer base is huge and any flaws are noticed early on,before they are taken advantage off.

Put it this way;
I have been involved in repairing 2 Win XP and 1 Win Vista machines in the last week from malware.As regards this Ubuntu GNU/Linux machine and other computers amongst friends and family NO infections crashes or the like or anything near it.Just relaxed easy going and safe open source computing.

Best Wises Chris.

Best Wishes Chris.

[kojacked]

Take your lumps

Lesson for the day: If you can't take it, don't dish it.

I wish the Open Source and Apple fanboys would grow up someday and learn to take their lumps like the rest of us.

First it's "Non-Microsoft Product X" NEVER has problems like "Microsoft's Competing Product". Then "Non-Microsoft Product X" has a problem and then the backstroke begins...

"Non-Microsoft Product X" has a lot FEWER problems than "Microsoft's Competing Product" and aside from that "Microsoft's Competing Product" sucks.

One reader commented on how there were a lot more Open Source fanboys commenting here than Microsoft fanboys. I think that speaks volumes. Users of Microsoft software (a.k.a. fanboys) don't feel the need to bash other non-Microsoft software like Open Source fanboys do. I think it has something to do with a thing called "reality" that seems to escape the fanatics.

Now go enjoy your copy of Halo 3 on your Microsoft Xbox 360!!! I, being the consummate Microsoft fanboy that, will now retire from the computer this evening to go play on my Nintendo Wii since I've never bought an Xbox.

[t3st3r`]

Yes,MS bugs are affecting only Windows since there is no MSO for others;)

There is no MS Office for Linux so MS bugs can't affect anything but Windows.Actually MS is in loss - windows users do have bugs in MSO and in OO, Linux ones in OO only.Slightly fewer, he-he-he

[t3st3r`]

Haha, Linux normally takes care on updating ALL programs :))))))

Linux systems do have a way better installers and updaters.

First, you can install a dozen of programs in few mouse clicks from software catalogs called repositories.Just few mouse clicks and all chosen programs are here.Usually programs are free so you really getting new software at blazing speed.

Second thing... Linux systems do have updaters capable of updating ALL programs.Not just a "genuine MS crap".So you do not have to stick to something and pay-pay-pay-pay-pay-pay-pay.... forever.Free system means more freedom, more choice, more flexibility, less headache, less restrictions and well, there is no moron fascist EULAs from MS.So you can grab one copy of OO and install on all machines.For free, and absolutely legal.MS will call your pirate then.

And well, MS activation is sort of crap which can once sabotage system operation without good reasons resulting in major losses.Nobody will cover 'em though.Read license carefully, Luke.Then think twice: ARE YOU REALLY AGREE with all this crap in MS EULA???

[Michael Vasovski]

and?

That has what to do w/ the story?

[Michael Vasovski]

and?

Paying for something brings some type of guarantee?