ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Code execution flaws haunt OpenOffice

By | October 29, 2008, 10:19am PDT

Summary: OpenOffice.org has shipped a new version of the open-source desktop productivity suite to patch a pair of highly-critical vulnerabilities that could expose users to arbitrary code execution attacks. The flaws, which affect all versions prior to OpenOffice.org 2.4.2, could be exploited via manipulated WMF and EMF files in StarOffice or StarSuite documents. The skinny: CVE-2008-2237: A [...]

OpenOffice security vulnerabilitiesOpenOffice.org has shipped a new version of the open-source desktop productivity suite to patch a pair of highly-critical vulnerabilities that could expose users to arbitrary code execution attacks.

The flaws, which affect all versions prior to OpenOffice.org 2.4.2, could be exploited via manipulated WMF and EMF files in StarOffice or StarSuite documents.

The skinny:

  • CVE-2008-2237: A security vulnerability with the way OpenOffice 2.x process WMF files may allow a remote unprivileged user who provides a StarOffice/StarSuite document that is opened by a local user to execute arbitrary commands on the system with the privileges of the user running StarOffice/StarSuite. No working exploit is known right now.  There is no workaround.
  • CVE-2008-2238: A security vulnerability with the way OpenOffice 2.x process EMF files may allow a remote unprivileged user who provides a StarOffice/StarSuite document that is opened by a local user to execute arbitrary commands on the system with the privileges of the user running StarOffice/StarSuite. No working exploit is known right now. There is no workaround.

OpenOffice.org described the bugs as file-handling heap overflows.   Patches are available in OpenOffice 2.4.2.

OpenOffice 3.0 is not affected by these vulnerabilities.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Flaw, OpenOffice.org, OpenOffice 3.0, OpenOffice, Open Source, Security, Office Suites, Software, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

75
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Code execution flaws haunt OpenOffice
birumut Updated - 5th May 2011
Well done! Thank you very much for professional templates and community edition
seslisohbet seslichat
View in thread
0 Votes
+ -
Code execution flaws haunt OpenOffice
Loverock Davidson 29th Oct 2008
LOL!! Let the bug hunt begin. This will be one of many bugs found in OpenOffice. Remember when v3.0 was released and all the fanboys were telling us to replace our current solutions with this new version because it works so much better? Well this is the reason why we don't! Ok this is only part of the reason, the other is the incompatabilities.
0 Votes
+ -
You should at least RTFA
mikefarinha 29th Oct 2008
The last line of the article states:

OpenOffice.org described the bugs as file-handling heap overflows. Patches are available in OpenOffice 2.4.2.

OpenOffice 3.0 is not affected by these vulnerabilities.

So yes OO.org users SHOULD switch to OO.org v3.0
0 Votes
+ -
Still leaves the issue of vulnerability
Loverock Davidson 29th Oct 2008
Just by using it your still vulnerable because the 2.4 code has shown its buggy and how far off do you think the v3.0 code is? I'm guess not far off and a variant will show up. So no, you shouldn't use OO.o
0 Votes
+ -
Loverock.... you're hopeless
mikefarinha 29th Oct 2008
And this is coming from a self-proclaimed Microsoft Fanboy...

No one wins when FUD is spread around and I'm calling you out on your lack of reason and understanding.

OO.org is just fine for some people. And I suspect that it will get wider support thanks to Microsoft... yup you heard me right!

In Windows 7 Microsoft is going to be revamping all of their standard apps like MS Paint and WordPad.

One of the new features in Win7's WordPad is native support for both ODF and OOXML.

So anyone creating a document in OO.org can send it to anyone using Win7 and know with confidence that they will be able to read it and make minor edits.
0 Votes
+ -
I know you are but what am I?
Loverock Davidson 29th Oct 2008
You are the hopeless one! OO.o will not get any support from Microsoft. People will continue to use their current office suite due to the vulnerabilities of OO.o 2.4 and that v3.0 hasn't had the bugs worked out yet.
0 Votes
+ -
Right over your head!
mikefarinha 29th Oct 2008
I never said Microsoft was supporting OppenOffice. I said Microsoft was supporting the ODF format in Windows 7 which will, in turn, help alleviate concerns people have about using the ODF format for their documents.

When people don't need to worry about which apps work with which formats then there is a barrier to entry removed (by Microsoft) which allows more competition to enter into the market place.

The products MS Office, OpenOffice, etc. have to compete on user experiences instead of vendor lock-in.
0 Votes
+ -
Very unlikely
Loverock Davidson 29th Oct 2008
Its very unlikely that people will switch to ODF when .DOC provides a rich format. Or someone can receive an ODF file, import it, then convert it to a standard Office format. Now that I think about it maybe it will help Microsoft.
0 Votes
+ -
Hmmm... Loverock Davidson, you've got my mind churning...
mikefarinha 29th Oct 2008
How scary is that?

First off, I never said that this will cause people to 'switch' to ODF. I simply stated that this will level the playing field so that people can look at both the format and the product (ie the various editors) independently and decide which combination is right for them with out fear of incompatibility.

Also .doc format is being replaced by the .docx format so I'm not sure if you misspoke or what?

But, but... Perhaps this will 'help' Microsoft in an unexpected way.

If OpenOffice does become competitive what would stop Sun from relaunching StarOffice and subsequently stop, or reduce, active support for OpenOffice?

Despite what people say about OSS, a lot of the developers don't work for free. They are in fact paid for by Sun or IBM or Novell or any number of Microsoft competitors.

This could completely blind-side a lot of OSS advocates.

But obviously OSS will never die. The thing that makes OSS unable to compete, lack of real leadership (ie a million people going in a million different directions), is directly tied to the thing that makes them unkillable, everyone is in it for their own pleasure.
0 Votes
+ -
Hopeless...
ShadowGIATL 29th Oct 2008
is arguing over different points of view. I think everyone will pretty much stick with what they are using until one or the other provides an irrefutable reason to switch. I don't see it in the near future.

People have the right to choose what they want.

I use both. I have MS Office for most of my day to day use, and OOO for other machines that aren't mission critical. I use MS Office because most people still use it. Only reason I have the new version is because I get an academic discount. But OOO works for most anything I need it to.

With a good AV program, most of the vulnerabilities aren't very effective anyway no matter what software you use.

Good things come from open source. Good things also come from closed source. We shouldn't close our minds to one or the other. They feed off each other and act as a balance to keep the power from shifting to far to one side. Open source is what keeps Microsoft on their toes.
0 Votes
+ -
Yeah, it's not like...
jasonp@... 30th Oct 2008
Microsoft software has ever shown itself buggy enough to ever be patched. Using your logic, or lack thereof, nobody should use any product from Microsoft or any other vendor that has ever had to be patched after distribution. See how dumb you really sound?
0 Votes
+ -
Please don't use OOo
Timpraetor 30th Oct 2008
Loverock - please don't use OOo or any other non-Microsoft products ever. And, since you'll not be using any of the other products, please keep your lame-assed opinions to yourself and let the rest of us get on with our lives without having to wade through your inane posts.
0 Votes
+ -
Doesn't Loverock make you wish that...
djchandler 30th Oct 2008
ZDNet could allow its users to create a profile on their blogs. I've been able to do that on forums, allowing me to ignore certain posters and keep them from pestering me with direct messaging as well.

Even though this is not a forum, it would be nice to have that feature. Any chance of ZDNet filtering a pest's posts if enough of us complain? Probably not. My solution is to try to get a laugh out of his narrow view of things. It's hard though because I also understand how unbalanced he must be. How sad.
0 Votes
+ -
Logically flawed argument
notsofast 30th Oct 2008
For the record, I use Office 2007 at home and 2003 at work

Your argument is a poor one. Just because this has a security flaw doesn't mean it's more or less vulnerable than Office.

There are fairly regular security updates for Office products. If anyone made your point about Office, I'd argue almost the same thing.

Compatibility and usability are the main reasons to be cautious about switching.

And before all the open source fan boys start pouncing, what that means is if you're switching to OO, that is what you need to seriously investigate before doing so.
0 Votes
+ -
So I guess...
robsku 3rd Nov 2008
...your alternative that never has had (and never will) any security flaws and provides the same features?

This only goes to show that even rare and unlikely never to be exploited flaws are found and patched efficiently within good FOSS projects.

...we all know how some other products have managed on this field.
0 Votes
+ -
ha ha - don't hold your breath....
deaf_e_kate 29th Oct 2008
he also lacks comprehension so you are on a losing path if you want to appeal to him.
0 Votes
+ -
Just like everyone should upgrade to Vista for its increased...
ye 29th Oct 2008
...security. Doesn't mean it's going to happen.
0 Votes
+ -
And no reason not to
waltmaine 30th Oct 2008
OOo is FREE. Unlike MS Office, where unless you are on the uber-expensive software assurance plan, upgrades are free. in MOST cases, there is no reason to keep running old versions of open source software.

This is a non-story with a headline designed to instill fear in open source software. For shame. Get some journalistic integrity.
0 Votes
+ -
Code execution flaws haunt Microsoft Excel
rpmyers1 29th Oct 2008
So, what do you think about last weeks Excel advisory that hit EVERY version of Excel? Shouldn't we switch away from Excel then?
0 Votes
+ -
Nothing
Loverock Davidson 29th Oct 2008
because this isn't about Excel.
0 Votes
+ -
So you're a hypocrite then?
rpmyers1 29th Oct 2008
Excel 2007 has code execution flaws and compatibility problems. Why aren't you whining about that?
0 Votes
+ -
Easy answer...
Linux User 147560 29th Oct 2008
He's a hypocritical moron! devil
0 Votes
+ -
Nope
Loverock Davidson 29th Oct 2008
as stated earlier, this isn't about Excel. What is so hard about that statement to comprehend?
0 Votes
+ -
Amazing...
eMJayy Updated - 29th Oct 2008
They have you cornered like a little mouse, don't they? That's what happens when you're a troll-wanna-be in a forum filled with people who actually have to think for a living.
0 Votes
+ -
Thats hilarious
thelivo 29th Oct 2008
He can't answer you so he dodges the question. Why am i not surprised!?
0 Votes
+ -
Yep, you hit the nail squarely on the head.
jasonp@... 30th Oct 2008
Lovey is the biggest hypocrite on these boards. His shilling for Microsoft is legendary.
0 Votes
+ -
Disagree
mathcreative 27th Feb 2009
Loverock I do agree that security issues with a program is a big issue. But
the alternatives aren't much better at dealing with these issues either.
There will always be flaws in software open source or not. Though
because of the nature of the open source development model, the
software tends to have less flaws. The question remains is does open
office tend to have more security flaws then office? In reality I can't say
for sure. But my guess this that their just about the same, and if you
disagree I would like you to show me the facts.
0 Votes
+ -
RE: Code execution flaws haunt OpenOffice
tburzio 29th Oct 2008
Openoffice now supports as many code execution problems as Office. True compatibility?
0 Votes
+ -
How could Open Office have flaws??!!
LBiege 29th Oct 2008
With their source open and all the FOSS developers out there on this planet reading each line of code more strictly than Foxnews scrutinizing Obama's speech, how could there still be flaws??!! No I refuse to believe Open Office has flaws. Must be a hoax.
0 Votes
+ -
It' worth every penny you pay for it?
dragon@... 29th Oct 2008
Because like most things, programmers are only worth what you pay them.
And sometimes not even that.

Most FOSS developers get paid what?
0 Votes
+ -
You hit that one on the head. (nt)
No_Ax_to_Grind 29th Oct 2008
.
0 Votes
+ -
I have to hand it to OSS developers. Many do an excellent job...
ye 29th Oct 2008
...writing software. OSS code is of excellent quality given most developers aren't paid to develop the code.
0 Votes
+ -
FOSS developers pay
NetArch. 29th Oct 2008
Most FOSS developers get paid what?[/]

Oh, in the high 5- to low 6-figures. 'Bout $75k to about $130k. Yeah, they're poor alright...

I wonder what Jeremy Allison (Samba) at Google or perhaps Daniel Robbins (Gentoo founder) at IBM are paid? Yeah - all FOSS programmers work for free. Dream on, trolls and MS fanboys...
0 Votes
+ -
Kinda new to the business, aren't you
IT_User 29th Oct 2008
I first read it in 1967 - Software that isn't being debugged isn't being used. In the ensuing years no one has come up with the perfect automatic code generator or checker.

How could software have flaws? By being software.
0 Votes
+ -
It was meant sarcastically. (nt)
ye 29th Oct 2008
.
0 Votes
+ -
Sarcasm noted
IT_User 29th Oct 2008
But why bother to post? Unless this particular poster simply saves this comment for every note of a software flaw in application.

I'll have to admit he/she left an opening too large to resist
0 Votes
+ -
I assume it was to poke fun at the "many eyes" argument brought forth by...
ye 29th Oct 2008
...OSS advocates.
0 Votes
+ -
No argument
IT_User 29th Oct 2008
But read the post. This idiot went far beyond reason by implying that he somehow had inside information regarding repeal of laws of physics - or math.
0 Votes
+ -
Kinda like Mike Cox and his rants...
Wolfie2K3 30th Oct 2008
...about installing pre-Alpha bits of Windows 7 on his production machines and how productivity has risen 50% - with some users not even bothering to boot their computers.
0 Votes
+ -
All part of the sarcasm. nt
ye 30th Oct 2008
.
0 Votes
+ -
Well, "the many eyes"...
robsku 3rd Nov 2008
...found this bug (not blackhats as no exploit exists) & fixed it in a whip... so I dont get the point really.
0 Votes
+ -
How could software have flaws?
ShadowGIATL 29th Oct 2008
"How could software have flaws? By being software."

Being programmed by humans.
0 Votes
+ -
Compared to how many MS Office flaws? (nt)
bjbrock 29th Oct 2008
(nt)
0 Votes
+ -
The flaw of averages...
ShadowGIATL 29th Oct 2008
Not to take away from the fact that Office it's fair share of flaws, but it also has more users. More users means more use, and more use means more likely to find a flaw. Also more userbase means bigger target audience, and that means more people to attack making your payoff larger for the exploits you wrote for that spyware you been working on all month.

There is money in infecting computers to gather information to use for identity theft and other such crimes. If you had to choose what percent of your paycheck you get which would you take; 5%, 20%, or 75%?

If the roles were reversed you'd see that flaws found are generally relational to userbase.

The whole compared to MS point of view has been played out way to much. Stop hiding behind excuses and admit that like all software, even OOO is mortal. Anything programmed by humans has flaws. Microsoft gets it's employees the same way every other company gets theirs. Considering what they pay, I'd seriously doubt a lot of good programmers would turn them down simply because they are Microsoft.

Bottom line, Microsoft has more flaws because more people use Microsoft products. That fundamentally makes your whole arguement flawed. If you can't give away a free program that is supposedly better then one that costs $200 - $600, and in fact dominate less then 20% of the market, then something is wrong.

So I know your burning to provide your set of excuses and defend you programs of choice now. Go ahead. But the way I see it, I don't work for The Big Apple, MonopolySoft, or program for the vast open source projects. I merely point out that just because one software is created differently then another doesn't mean it's instantly flawless. And the Titanic couldn't sink.

However the constant ranting about who's system of choice does prove to be entertaining... so on that note... write away to your hearts desire. Entertain me with new ways that your favorite software is the all mighty everlasting one size fits all masterpiece that it is.
0 Votes
+ -
Agree with you on this. Everything man creates has flaws..
transposeIT Updated - 29th Oct 2008
It's just that OSS zealots feel so superior that pointing out errors in their work is quickly rebuked. It's either you're stupid or you're an MS shill. Ever tried posting anything negative about OSS in Slashdot?
0 Votes
+ -
Balance
ShadowGIATL 30th Oct 2008
I looked at slashdot for the first time in years a couple days ago. The amount of bias on that site made vom a little.

At least on this site you have a fairly balanced number of fanboys on all sides. Makes for better entertainment.

Now its time to rile everyone up...

Windows sucks!

Linux sucks!

MacIntosh sucks!

BeOS rules!

Now take that....
0 Votes
+ -
Anything programmed by humans has flaws
eiverson@... 30th Oct 2008
"Anything programmed by humans has flaws." Excellent point! It means we must always assume that any client software running on our PC can eventually be compromised due to a flaw in it.

In the past, I've used OO 2.4 with something called EdgeGuard Solo that my company offers as freeware. Its a last line of defense to stop malware attacks that signature-based tools miss, which is becoming all the more common as malware-makers automate signature changes. Here's a link if you're interested: http://www.blueridgenetworks.com/solutions/edgeguardsolo/
0 Votes
+ -
One wouldn't get that impression wrt Microsoft.
ye Updated - 30th Oct 2008
The ABMers would have us believe Microsoft software should be flawless and are more than happy to point out said flaws.
0 Votes
+ -
RE: Code execution flaws haunt OpenOffice
mrdt 29th Oct 2008
What is wrong with some of you? Nobody said open source software is perfect. Before going on about a couple of vulnerabilities in OO - take a look at all those vulnerabilities in your much beloved MS Office.

Can anyone show me a list of perfect software? I doubt it.

Also, according to the logic of people on here, if OO started to charge $$$ for the software, it would be instantly better, because "you get what you pay for". NONSENSE.
0 Votes
+ -
This is the goal of open source software
jackbond 29th Oct 2008
It has been proven that open source programmers are homicidal murderers. Releasing "vulnerable" code allows them to track your location, find you, and kill you. Save yourself, save your family, pay for your software!
0 Votes
+ -
This is only a problem in Windows
Chad_z 29th Oct 2008
Do pay attention to the important part:

...execute arbitrary commands on the system with the privileges of the user...

Provided you're not working away logged in as root, a very BAD idea, then you can't do anything more than you can do with user privileges, which is not much in Linux.

Now on Windows, you just porked an XP box, unless you're one of the five places in the world with their Windows boxes locked down tighter than a Mormon prom. Vista maybe not as bad, unless you have the UAC shut off.
0 Votes
+ -
RE: Code execution flaws haunt OpenOffice
birumut Updated - 5th May 2011
Well done! Thank you very much for professional templates and community edition
seslisohbet seslichat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix