- Related Stories
-
OpenOffice worm Badbunny hops across operating systems
June 11, 2007 -
New OpenOffice version includes security upgrade
April 4, 2007 -
OpenOffice patches 'highly critical' flaw
January 5, 2007 -
Security from A to Z: Open source
November 27, 2006 -
OpenOffice security is questioned
August 14, 2006
OpenOffice version 2.0.4 and earlier versions are vulnerable to maliciously crafted TIFF files, which can be delivered in an e-mail attachment, published on a Web site or shared using peer-to-peer software. The next version of OpenOffice (version 2.3) arrived on September 17 and is not affected by the flaw.
The vulnerability was discovered by researchers at iDefense, who claim that the OpenOffice TIFF parsing code is flawed.
"When parsing the TIFF directory entries for certain tags, the parser uses untrusted values from the file to calculate the amount of memory to allocate. By providing specially crafted values, an integer overflow occurs in this calculation. This results in the allocation of a buffer of insufficient size, which in turn leads to a heap overflow," the iDefense team reported last Friday.
TrustDefender co-founder Andreas Baumhof said: "This vulnerability allows someone to execute malicious code on your computer. It's an OpenOffice bug so it doesn't matter what type of operating system you run; it allows you to run malicious software with the same rights as the user who runs OpenOffice."
"At this stage, it's only confirmed on Linux," Baumhof said. "But typically it would affect all operating systems. The only difference with Linux and Windows is that home users typically run Windows as the administrator."
In June, OpenOffice users were warned about a worm called "Badbunny" that was spreading in the wild through multiple operating systems, including Mac OS, Windows and Linux.
At the time, Symantec posted an advisory that said: "A new worm is being distributed within malicious OpenOffice documents. The worm can infect Windows, Linux and Mac OS X systems. Be cautious when handling OpenOffice files from unknown sources".
Liam Tung of ZDNet Australia reported from Sydney.
- More from News.com on this story's topics
Security threats
Open source
Flaws
See more CNET content tagged:
OpenOffice,
iDefense,
vulnerability,
TIFF,
worm
The half dozen users that actually installed this are probably going to be vulnerable to viruses for ever more...
Oh well, you get what you pay for.
"Growing Up" They Say!
However in my years of using OpenOffice, it still hasn't ceased to suck ass.
Go figure...
The next version of OpenOffice (version 2.3) arrived on September 17 and is not affected by the flaw.
KieranMullen
http://360oregon.com
But I have a question.
How do average users go about applying updates to OO?
Are there ever patches?
How do you find out?
How do you get them?
Do you just have to wait for the next version to fix a bug?
I am sure it is damn near bug free so maybe my questions are moot, but please answer just for fun.
Thanks
Tom
If someone sends you an exploit for an Open Office vulnerabilty, and you launch it as an attachment, The file is loaded into Open Office and you get exploited before the software has a chance to update!
- The story misses the mark
-
by dburr13
September 26, 2007 7:31 AM PDT
- The story should have contained a warning for those using outdated versions of OpenOffice.org to update to the current patched version...As is...the story is just a warning for a problem...without mentioning the solution that is readily available.
-
Reply to this comment
View
reply
-
-
1 | 2 | Next 10 Comments >>