September 25, 2007 8:38 AM PDT

OpenOffice bug hits multiple operating systems

Security experts have discovered vulnerabilities in OpenOffice.org that could allow attackers to remotely execute code on Linux, Windows or Apple Mac-based computers.

OpenOffice version 2.0.4 and earlier versions are vulnerable to maliciously crafted TIFF files, which can be delivered in an e-mail attachment, published on a Web site or shared using peer-to-peer software. The next version of OpenOffice (version 2.3) arrived on September 17 and is not affected by the flaw.

The vulnerability was discovered by researchers at iDefense, who claim that the OpenOffice TIFF parsing code is flawed.

"When parsing the TIFF directory entries for certain tags, the parser uses untrusted values from the file to calculate the amount of memory to allocate. By providing specially crafted values, an integer overflow occurs in this calculation. This results in the allocation of a buffer of insufficient size, which in turn leads to a heap overflow," the iDefense team reported last Friday.

TrustDefender co-founder Andreas Baumhof said: "This vulnerability allows someone to execute malicious code on your computer. It's an OpenOffice bug so it doesn't matter what type of operating system you run; it allows you to run malicious software with the same rights as the user who runs OpenOffice."

"At this stage, it's only confirmed on Linux," Baumhof said. "But typically it would affect all operating systems. The only difference with Linux and Windows is that home users typically run Windows as the administrator."

In June, OpenOffice users were warned about a worm called "Badbunny" that was spreading in the wild through multiple operating systems, including Mac OS, Windows and Linux.

At the time, Symantec posted an advisory that said: "A new worm is being distributed within malicious OpenOffice documents. The worm can infect Windows, Linux and Mac OS X systems. Be cautious when handling OpenOffice files from unknown sources".

Liam Tung of ZDNet Australia reported from Sydney.

See more CNET content tagged:
OpenOffice, iDefense, Linux, vulnerability, TIFF

73 comments

Join the conversation!
Add your comment
Oh well, no worries, Windows Update will patch it automatically
Oh, wait, no it wont! That only works for guenuine Microsoft Office products.

The half dozen users that actually installed this are probably going to be vulnerable to viruses for ever more...

Oh well, you get what you pay for.
Posted by richto (895 comments )
Reply Link Flag
It may take a year or two though
You don't get what you pay for with M$........

It is already patched in the new version. M$ has had office flaws that remain unpatched for years....
Posted by Reiley (15 comments )
Link Flag
I don't want Windows Update to patch
You bring up a good point, you get what you pay for...then I would expect MS to actually provide a secure Office Suite for 400 dollars. You try to poke that people are going to be open to viruses using Open Office? The latest version affected is 3 versions old...the new ones not affected. How many people got affected by viruses using holes in Outlook, and Excel Macros...those were "Genuine Microsoft Office Products".

Go back to your cubicle...your MS supervisor is waiting for your troll report
Posted by ittesi259 (727 comments )
Link Flag
Patch one hole, open another.
I'd use OpenOffice.org over MS Office any day. This is one vulnerability, but how many does MS Office have? This sort of vulnerability has been in MS Office for a long time and its still there because when Windows Update patches one hole it opens another. You are a Microsoft Fan Boy.
Posted by TheZorch (6 comments )
Link Flag
Open Office has auto update
When you run any app in the Open Office suit it will notify you if a new version is available. There will be a green button in the right hand corner you can click to get the latest version. As others have pointed out 2.0.4 is ancient, the current version is 2.3.0 which isn't affected by this flaw. Yet another demonstration that updating your software is good practice. I can assure you there are plenty more than a half dozen people using it.
Posted by unknown unknown (1951 comments )
Link Flag
2.0.4 is a year old
This is certainly a problem, but perhaps not a huge one. As the article notes, 2.3 is the current version, and it is not susceptible to bugs. Nor are versions 2.2 (released in March) or 2.1 (released last December), apparently. The majority of Linux users will have been updated by now to at least 2.2...
Posted by Harlan879 (130 comments )
Reply Link Flag
You'd think that
but it doesn't always play out that way. I do a *lot* of development
for SSH and it always surprises me how many people are still
running 3.8 which is several years old at this point. Generally
people upgrade when they dsicover that the new version adds a
compelling feature. Otherwise many people are happy leaving well
enough alone.
Posted by rapier1 (2722 comments )
Link Flag
LOL!!!
"...2.3 is the current version, and it is not susceptible to bugs."

I don't think any reply is necessary for someone THAT religious about their software!
Posted by KTLA_knew (385 comments )
Link Flag
"OpenOffice.org"!!!
Web Site or Product Name???

"Growing Up" They Say!
Posted by Commander_Spock (3123 comments )
Reply Link Flag
Both
That is the name of both the product AND the website. Go figure...
Posted by feranick (212 comments )
Link Flag
What a waste
In all of two seconds I thought of a few other companies known by their full web addresses.

Geez have you ever heard of half.com or buy.com or even amazon.com ....

Growing up indeed!
Posted by sanenazok (3449 comments )
Link Flag
MS Office did this for years
Why is this news? MS Office has this and many other vulnerabilities and how often do you see it as news on C/NET?
Posted by TheZorch (6 comments )
Reply Link Flag
C|Net Reporting
Oh please, C|Net Reports on every single patch MS puts out and just about every vulnerability that is known.

Just look at their website on October 9 (patch Tuesday) and there'll be a discussion of MS problems.
Posted by sanenazok (3449 comments )
Link Flag
Wow, yep you are so right
You know, women have been raped since almost the beginning of time, yet that still makes the news. Seriously, don't we have anything new to talk about. Everytime I look, its the same old thing. Murder, death, war, famine, malicious attacks through vectors in software that many erroneously believe impervious to attack because it was written by a community of programmers who release their source code into the wild. Yeah. . there's nothing new under the sun. . . nothing new.
Posted by zboot (168 comments )
Link Flag
and yet...
in all my years using these products with all these flaws, I have yet to be attacked..

However in my years of using OpenOffice, it still hasn't ceased to suck ass.

Go figure...
Posted by daftkey (136 comments )
Reply Link Flag
you haven't used M$ PowerPoint?
you should do a proper comparison of sucking ass, they all suck ass in their own special little magical ways.

Power Point crashing while you saving your file = lots of fun. -sarcasm
Posted by ColdMast (186 comments )
Link Flag
Fixed bug. Old news. Move On
So why are we talking about a fixed but on the 25th? Anyway kudos to openoffice for fixing many bugs all at once. Microsoft drags it legs on that.

The next version of OpenOffice (version 2.3) arrived on September 17 and is not affected by the flaw.

KieranMullen
<a class="jive-link-external" href="http://360oregon.com" target="_newWindow">http://360oregon.com</a>
Posted by kieranmullen (1070 comments )
Reply Link Flag
open office update questions
I tried to download OO today but Torrents are not allowed on this network.

But I have a question.
How do average users go about applying updates to OO?

Are there ever patches?

How do you find out?

How do you get them?

Do you just have to wait for the next version to fix a bug?

I am sure it is damn near bug free so maybe my questions are moot, but please answer just for fun.

Thanks

Tom
Posted by tgrenier (256 comments )
Reply Link Flag
moot
moot

talk to the systems admin,
I'm sure they can download it for you.
Posted by ColdMast (186 comments )
Link Flag
I thought Open Souce was always Secure?
I thought Open Source was always Secure? Odd that both the office software, and the underlying "secure" OS (Linux) were able to fall victim to a buffer overrun...
Posted by techFirst (2 comments )
Reply Link Flag
Ah, no
It's "less insecure".

Most are vulnerable to hacking, few are vulnerable to viruses, and they are usually patched very quickly.
Posted by Phillep_H (497 comments )
Link Flag
Nah
You are just an idiot.

Every non-trivial program has flaws.Nothing odd about it.

Compare this to Office, a bug from a year old version is news with OpenOffice, for Office to make news it would have to 60 minutes without being exploited.

There is a world of difference between 1 unexploited flaw and the countless exploits in Office.
Posted by MSSlayer (1074 comments )
Link Flag
Really? Secure?
Having worked in IS (at all levels) for XX years - the only perfect solution was designed 2007 years ago (depending on your beliefs).
Posted by Speeder (1 comment )
Link Flag
No, that's a fallacy. Open Source is way way less secure.
Unfortunately that seems to be a common perception. However the statistics have for years now shown that Microsoft products have far fewer vulnerabilties, fewer serious vulnerabilities and are on average patched in half the time of Open Source software.

See <a class="jive-link-external" href="http://blogs.technet.com/security/archive/2007/08/16/july-2007-operating-system-vulnerability-scorecard.aspx" target="_newWindow">http://blogs.technet.com/security/archive/2007/08/16/july-2007-operating-system-vulnerability-scorecard.aspx</a>

Hence the ongoing market share losses by 'free' Apache to Microsoft Server as people are fed up with their insecure Linux boxes being constantly exploited, hacked and defaced and the nightmare of trying to keep an open source LAMP stack updated and patched. Apache is about to fall below 50% market share for the first time since 1998!

See <a class="jive-link-external" href="http://news.netcraft.com/archives/web_server_survey.html" target="_newWindow">http://news.netcraft.com/archives/web_server_survey.html</a>
Posted by richto (895 comments )
Link Flag
that was an old flaw
Read the article it describes a flaw in 2.0.4, which is at least a year old.

If you've been updating and auto-updating from OpenOffice.org 2.3, this wouldn't even concern you.
Posted by Maccess (610 comments )
Link Flag
There are differences
Difference #1: This flaw was found in an old version of Openoffice.org, not the current version.

Difference #2: It was found by the researchers being able to read the source code, because it's open-source.

Difference #3: On Windows, the most likely scenario is that the exploit would get administrator privileges. On Linux, the exploit would get limited user privileges at best (since Linux users do not run OOo as administrator).

Difference #4: If the Linux user is using Fedora/Red Hat-based distributions, SUSE, or the in-development Ubuntu (I've named the biggest distributions here), there is greatly-reduced chance of any harm happening. This is because these distributions are equipped with SELinux or AppArmour, which are kernel-level systems that define what a program can do. If OOo gets convinced to do things that it shouldn't normally, those two security systems will either prevent it or raise an alarm to the user.

Difference #5: Fedora and Red-Hat based distributions randomise the memory addresses of programs, making a successful buffer overflow exploit much less likely still.

Why was the flaw demonstrated on Linux first? Because you can customise Linux to turn off the security features if you wish. It's dumb to do so, but it's possible. Also note that the flaw works regardless of operating system - Windows Vista and Mac OS X are not invulnerable to it.

Finally, open-source is not "Secure". It is merely MORE secure than proprietary systems.
Posted by 3rdalbum (287 comments )
Link Flag
NO, that's not the same thing.
Windows update can patch Office in the background before you next use it.

If someone sends you an exploit for an Open Office vulnerabilty, and you launch it as an attachment, The file is loaded into Open Office and you get exploited before the software has a chance to update!
Posted by richto (895 comments )
Reply Link Flag
The story misses the mark
The story should have contained a warning for those using outdated versions of OpenOffice.org to update to the current patched version...As is...the story is just a warning for a problem...without mentioning the solution that is readily available.
Posted by dburr13 (117 comments )
Reply Link Flag
I amend my comment
The story did mention the updated version...But it did fail to highlight the fact that downloading the update makes this problem go away.
Posted by dburr13 (117 comments )
Link Flag
Get real folks; "The Russians Are Coming"!
... in from the "air":

"Russia unveils new passenger jet"

<a class="jive-link-external" href="http://www.news.com/Russia-unveils-new-passenger-jet/2100-11397_3-6210057.html" target="_newWindow">http://www.news.com/Russia-unveils-new-passenger-jet/2100-11397_3-6210057.html</a>

Read Commander_Spock's and another comment that followed and this brings us to the reading which states: "He who thinks that he knows; and, knows not that he knows nothing is a fool"!
Posted by Commander_Spock (3123 comments )
Reply Link Flag
Getting to the point....
... "reader comment from rdupuy11"

... "look's like the best dang business plan 'EVER'!"

<a class="jive-link-external" href="http://www.news.com/5208-11397_3-0.html?forumID=1&#38;threadID=31454&#38;messageID=313846&#38;start=0" target="_newWindow">http://www.news.com/5208-11397_3-0.html?forumID=1&#38;threadID=31454&#38;messageID=313846&#38;start=0</a>

What does this tell one about the capabilities/requirements of an Office (Productivity Suite? Got to have the same one that the Russians are using - period!
Posted by Commander_Spock (3123 comments )
Link Flag
Very entertaining to read the comments
I interrupt the flame wars for this brief announcement:

I see we have a few MS fan boys, and many OpenOffice.org (OO.o) fan boys.

The only truly secure computer system is the one that is never plugged in and turned on.

Regardless of which office package you use, if you don't keep it updated, you have vulnerabilities. Neither update system (MS or OO.o) is perfect, and I'm sure many people turn off the updates or just flat out ignore them.

In my opinion - as a heavy user of BOTH office suites - OO.o has all the functionality to satisfy 99% of home users and 75% of office workers. Excel has a slight edge over OO.o when it comes to serious formulas and number crunching.

Add the functionality to the fact that it's free and you have a serious competitor in the office suite market.

BTW - OO.o does get patched much quicker than MS can patch MSO. Just deal with it.

I now return you to your regularly scheduled flame wars. Battle on!
Posted by One-Eared Gundark (610 comments )
Reply Link Flag
A big deal.
Patches are being applied regular to MS Windows GNU/Linux and to Mac OS's and their associated applications.

So what is the fuss about.17yo daughters computer has far more patches on her Win XP OS install than on her Mandriva GNU/Linux OS.

The security of open source is around 2 separate issue's;
1)We do not log in as administrator so any malware we do pick up cannot do anything serious,
2)The GNU/Linux developer base is huge and any flaws are noticed early on,before they are taken advantage off.

Put it this way;
I have been involved in repairing 2 Win XP and 1 Win Vista machines in the last week from malware.As regards this Ubuntu GNU/Linux machine and other computers amongst friends and family NO infections crashes or the like or anything near it.Just relaxed easy going and safe open source computing.

Best Wises Chris.

Best Wishes Chris.
Posted by chrisENJUNSc (1 comment )
Reply Link Flag
Take your lumps
Lesson for the day: If you can't take it, don't dish it.

I wish the Open Source and Apple fanboys would grow up someday and learn to take their lumps like the rest of us.

First it's "Non-Microsoft Product X" NEVER has problems like "Microsoft's Competing Product". Then "Non-Microsoft Product X" has a problem and then the backstroke begins...

"Non-Microsoft Product X" has a lot FEWER problems than "Microsoft's Competing Product" and aside from that "Microsoft's Competing Product" sucks.

One reader commented on how there were a lot more Open Source fanboys commenting here than Microsoft fanboys. I think that speaks volumes. Users of Microsoft software (a.k.a. fanboys) don't feel the need to bash other non-Microsoft software like Open Source fanboys do. I think it has something to do with a thing called "reality" that seems to escape the fanatics.

Now go enjoy your copy of Halo 3 on your Microsoft Xbox 360!!! I, being the consummate Microsoft fanboy that, will now retire from the computer this evening to go play on my Nintendo Wii since I've never bought an Xbox.
Posted by kojacked (1129 comments )
Reply Link Flag
Yes,MS bugs are affecting only Windows since there is no MSO for others;)
There is no MS Office for Linux so MS bugs can't affect anything but Windows.Actually MS is in loss - windows users do have bugs in MSO and in OO, Linux ones in OO only.Slightly fewer, he-he-he :)
Posted by t3st3r` (60 comments )
Reply Link Flag
Haha, Linux normally takes care on updating ALL programs :))))))
Linux systems do have a way better installers and updaters.

First, you can install a dozen of programs in few mouse clicks from software catalogs called repositories.Just few mouse clicks and all chosen programs are here.Usually programs are free so you really getting new software at blazing speed.

Second thing... Linux systems do have updaters capable of updating ALL programs.Not just a "genuine MS crap".So you do not have to stick to something and pay-pay-pay-pay-pay-pay-pay.... forever.Free system means more freedom, more choice, more flexibility, less headache, less restrictions and well, there is no moron fascist EULAs from MS.So you can grab one copy of OO and install on all machines.For free, and absolutely legal.MS will call your pirate then.

And well, MS activation is sort of crap which can once sabotage system operation without good reasons resulting in major losses.Nobody will cover 'em though.Read license carefully, Luke.Then think twice: ARE YOU REALLY AGREE with all this crap in MS EULA???
Posted by t3st3r` (60 comments )
Reply Link Flag
but then
you have to use free software, like uhm OO
Posted by sanenazok (3449 comments )
Link Flag
and?
That has what to do w/ the story?
Posted by Michael Vasovski (8 comments )
Reply Link Flag
and?
Paying for something brings some type of guarantee?
Posted by Michael Vasovski (8 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.