OpenOffice.org details vulnerability

OpenOffice.org, an open-source software maker, has confirmed a buffer overflow issue that could allow remote attacks.

The problem in its freely distributed productivity applications has been fixed, the organization said late Tuesday. Representatives said the group hopes to release a patch within the next 48 hours.

The flaw, first discovered in late March, according to postings on the group's Web site, is present in OpenOffice Version 1.1.4 and the OpenOffice Version 2.0 beta release of the applications, as well as in earlier versions of those products.

According to the OpenOffice site, the flaw was found in one specific function of the software and could be exploited by files designed to take advantage of the vulnerability. OpenOffice.org said the flaw may have allowed for remote execution of malicious code on computers running the affected OpenOffice applications.

Security researchers following the issue rated the flaw as relatively serious, with Secunia labeling the vulnerability as "moderately critical," its rating for issues that can compromise systems but that require user interaction in order to be exploited.

The flaw has now been effectively addressed by eliminating coding bugs that created the vulnerability, according to members of the OpenOffice community, the group of open-source software developers that contributes to the expansion of the software.

In an e-mail sent to News.com, Louis Suarez-Potts, community manager for OpenOffice, said that work on a fix for the buffer overflow vulnerability was completed on Tuesday. Suarez-Potts said OpenOffice is testing the security update and plans to distribute the remedy by Wednesday at the latest. Future versions of the group's software will include the fix, he said.

The ability of OpenOffice software users to fix problems on the fly has been highlighted by the group as one of the advantages of its applications. The open-source development model allows collaborators to view code and submit changes such as bug fixes or enhancements. Rival Microsoft typically issues security patch updates for its Windows products once a month.

[Scott W]

already fixed

the flaw was discovered in late march and fixed by mid april. are you listening microsoft? free and fast bug fixing. that's value for money.

[David Arbogast]

half heartedly

MS can see just fine. And what they see, is an approximate 1-month turnaround on a fix. Lets not forget that MS's schedule calls for monthly patches, and in many cases MS bugs are patched before they are announced. There is one big difference, though. Users of OpenOffice have to uninstall their existing version, then download and reinstall a completely new version. Can you imagine if MS asked their users to do this with Office? Where is the PATCH? Another half-hearted effort....

WHAT?!?!

Why would Microsoft be 'listening'? Microsoft has nothing to do with this story. Further, it wasn't Microsoft's bug.

Why do open source folks bring up Microsoft to defend themselves when a problem pops up on one of the thousands of open source projects out there?

Just succeed or fail on your own merits. The important thing is that OpenOffice fixed the problem. There WILL be thousands of flaws found in software (proprietary and open source) over the next few years. That is the nature of the business. Microsoft owns up to their bugs, and fixes them in a timely manner. I can't ask for any more from a software vendor. Fortunately, the major open source projects have been responsible enough to fix their bugs as well.

Quit comparing every open source flaw found to Microsoft. They are two different animals entirely. In addition, MS is not the ONLY proprietary software company out there. In fact, I'd guess that most software companies are proprietary to some degree - even big Open Source supporters/MS haters like IBM and Novell.

[J. Warren]

Patch is here:

FYI...

- <a class="jive-link-external" href="http://download.openoffice.org/1.1.4/security_patch.html" target="_newWindow">http://download.openoffice.org/1.1.4/security_patch.html</a>
2004-04-14

.

[Andrew J Glina]

That is funny

After all the debate on the pros and cons of patches there is one. Even so, it is a non-installing version and it will not appeal to non-technical computer users. How hard is it to write a compact intaller to go with it?