'Highly critical' bug bites OpenOffice

'Highly critical' bug bites OpenOffice

Summary: OpenOffice.org has shipped a fix for a "highly critical" vulnerability affecting versions 2.

SHARE:
44

‘Highly critical’ bug bites OpenOfficeOpenOffice.org has shipped a fix for a "highly critical" vulnerability affecting versions 2.0 to 2.4 of its open-source desktop productivity suite.

According to an advisory from Secunia, the flaw could be exploited to launch code execution attacks with manipulated document files.

From the OpenOffice.org warning:

A security vulnerability in the custom memory allocation function from OpenOffice.org may lead to heap overflows and allow a remote unprivileged user who provides a OpenOffice.org document that is opened by a local user to execute arbitrary commands on the system with the privileges of the user running OpenOffice.org. No working exploit is known right now.

Secunia says the vulnerability is caused due to an integer overflow error in "rtl_allocateMemory()" and can be exploited to cause heap-based buffer overflows via a specially crafted document.

ALSO SEE: Sun patchvertising OpenOffice with Java update

Topics: Software, Collaboration

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

44 comments
Log in or register to join the discussion
  • RE: 'Highly critical' bug bites OpenOffice

    Just think what could happen if these talented hackers creating these malicious viruses, attacks, etc. would apply themselves.
    bricar2
    • OpenOffice users are still totally safe

      OO doesn't have enough marketshare to attract the attention of those hackers and marketshare is the only thing that counts when it comes to consumer targeted malware.
      NonZealot
      • Common sense

        We're *not* 100 % secure and safe, as Open Office users. However, the risks are minimal, as long as security holes are fixed quickly.

        The best defense is common sense. Even if you're running relatively secure software.
        http://ubuntutip.googlepages.com/security
        pjotr123
        • Except it wasn't fixed quickly

          "However, the risks are minimal, as long as security holes are fixed quickly."

          Did you notice the bug has been there since version 2.0? I'd hardly call this fix "quick".

          Not blaming the Open Office programmers, hey, mistakes happen. And this stuff is subtle.

          *But* it does put the lie to the "many eyes" argument. If that argument were true this would not have persisted through 5 releases.

          The truth is, OSS or proprietary somebody has to actually *look* at the code, know what they're looking at is a bug, and then get confirmation so they don't introduce another bug (like that Debian Certificate bug, ouch!)

          The argument that OSS lets anybody look at the code is true--but irrelevant simply because people won't look--and even if they do chances are they won't recognize a bug like this when they see it.

          </rant>

          It's a bug, they happen. It's been around for a while, that happens too. It's been fixed. Move on.

          But this was NOT a quick fix. And it could happen to proprietary code just as easily as OSS. And vice versa, of course. :)
          wolf_z
          • The Windows cursor bug wasn't, either

            There is a difference between finding a bug then fixing it, and creating the bug then fixing it: while the bug was discovered in version 2.4, it was found out to apply since version 2.0 - released in 2005. this bug allows remote code execution with current logged in user's rights. If the user isn't an administrator, there is not much to fear.

            The Windows cursor bug was found under Windows Vista in 2007, and had an exploit in the wild. Bug auditing showed that the bug was present in Windows 2000 RTM - published in 1999.

            Meaning that a Vista Highly Critical bug (remote execution, privilege escalation) was eight (8) years old.

            Closer to us, one of this month's IE security warning was present in IE 8, 7, 6, 5.5, and 5. IE 5 came out in late 1998.

            Said bug is thus 10 years old. compared with OOo's no-more-than-3-years-existence for bugs, well, MS track record doesn't look like much...

            Hammering the point in: you should look at the time between bug discovery and bug fix. OOo is more common than you'd think - so yes, it can be targeted. That's why they have code audits, frequent Valgrind runs, and hunt for leaks module after module. Considering OOo's code base size, it's a long process.

            Mitch
            Mitch 74
          • Typical fanboi

            Culprit 1's (MS) transgression is older/worse than Culprit 2's (OO), so Culprit 2's transgression is not really that bad and no one should call it out.

            Lay off the Kool-aid.

            Codes have bugs. Be a responsible consumer, realize this, and ask that whatever product you use be managed properly by its provider. Get over it.
            tikigawd
          • 2 Points

            1) User Rights - Same could be said about Windows, just remember in Windows you don't have to be an admin. Just because most Windows users are stupid and are isn't a good argument.

            2) Since MS Office is the most widely used and hence attacked product, I'd have to say its "code audits" are much more exhaustive than OO.org.
            rkuhn0401729
    • That's the problem

      [i]Just think what could happen if these talented hackers creating these malicious viruses, attacks, etc. would apply themselves.[/i]

      That's the problem, they do apply themselves. Malware writers these days are full-time, highly skilled professionals. These aren't script kiddies living in their mom's basement.

      OpenOffice is a lot more popular than most people realize. It's hard to enumerate because there are no sales figures or quarterly numbers. Since it can save in .doc format, it's hard to document the program of origin.
      Chad_z
      • I think you're agreeing with me. :)

        How, exactly, do our points differ? Windows had a bug, OO had a bug. It took OO a while to find, it takes Windows a while to find.

        <shrug> Mistakes happen. Code bases work for a long time and are considered safe, so are ignored.

        I'm not ragging on open source for having bugs, or even not fixing them for long spans of time. I am merely pointing out one of open sources long standing arguments (many eyes) is simply wrong.

        Tho come to think of it, as FOSS gets more popular the many eyes argument is becoming less common... (laughing)
        wolf_z
  • RE: 'Highly critical' bug bites OpenOffice

    FYI, it's already fixed. Update to version 2.4.1.
    brassmaster
    • Yet here is something in which MS Office is far superior

      to OOo, at least on the Windows platform. MS Office has an automatic update system, and its updates do not require a download of the entire package. Worse yet, I manually selected the "Check for updates" selection in the Help menu, and got a failure.

      This is unacceptable in a business environment. OOo has you manually checking for updates on their website, and has you download a 127 MB package for every security fix they make, which is hard for businesses with slower download speeds. Even Linux distros, which do automatically inform you of and install updates, would still have you download the entire 127 MB package to update.*


      *SuSE might be an exception, their security updates are usually quite small.
      Michael Kelly
      • Far superior?

        Well, if you start using OOo in a professional, networked environment, then you can make use of the network install feature - in which case you download the whole package yes, but you only need to install it once.

        Let me remind you too that when you get the whole package, you don't only have a single security fix: you get several bug fixes along the way. And since it's the whole package, you don't need to test this then that patch together, then that other... You test once, you validate once.

        Your argument is valid only in those "professional" cases where:
        - there is no policy for centralized patch deployment (which is, for any OS, a bad idea)
        - new software packages aren't tested before they're installed,
        - bugs encountered by users go to the Recycle Bin.

        That ain't quite pro...
        Mitch 74
      • you serious?

        are you serious? I doubt thats how it really works...

        I dont mess much with straight OpenOffice, cuz i mainly only use NeoOffice (which is built off OpenOffice) and it auto checks for updates and allows me to download a patch, not the whole program...
        doh123
  • How can it have a bug? It's open source...

    Oh gee, that's right, it's just software...

    How did software become a religion?
    dragon4
    • Nobody ever said open source software doesn't get bugs

      It's what happens once the bugs are found where open source has an advantage.
      Michael Kelly
    • Exactly, that is an argument for open source...

      Proponets for open source have argued that given an open source software, all bugs will be found b/c of the many eyes viewing the source code. However, that is a myth! I am not against open or close sourced software. Both will always have bugs. It is just that no matter how many ppl you have looking at the code, something will be missed. Whether that be a data path or even a whole section of code (how you check something if it is not even there?). And if it is caught, a new bug might be introduced (ie Debian and OpenSSL) where others will already assume that since it was "fixed" there is no need to revisit.

      Now lately, I do believe that closed software vendors have become more responsive to updates and patches which, as long as they keep up the quick response, should elimiate that argument between open and close source software.
      lehanrp
      • Sadly mistaken...

        I don't believe you understand what you just said. You mentioned all bugs being found but you didn't say anything about when. Did you see an open source proponent say all bugs would be found before release? If not then what are you complaining about? They found a bug just as you said they claimed they would.

        The misconception here is that there will be NO bugs and no one has ever said that. In fact it would be quite contradictory to have an open source project such as Bugzilla if there were never going to be bugs.

        However the fact that some of you are so happy to pounce on this news indicates that you haven't seen that many bugs in open source projects. Maybe that should tell you something.
        storm14k
    • You tell me...

      I thought open source at its source was nothing more than an individual or group that write some software and share the code. Theres nothing religious about that.

      Now how you figured open source was somehow bug free I don't know. Maybe your religion taught you that.
      storm14k
  • RE: 'Highly critical' bug bites OpenOffice

    How many times will this be posted? I replied to the original story yesterday and now the reply (which was something to the effect of "That explains the update!" is gone...)

    Anyhow, good thing only 15% of the office users use OpenOffice! ;) ]:)
    Linux User 147560
  • RE: 'Highly critical' bug bites OpenOffice

    As I dislike BG's stranglehold on computing and the internet, I downloaded OO 2.0, but I learned from one of my Security systems, that I had downloaded a Trojan! I did write to tell them about this. How long has this 'fix' taken? It only takes one Trojan to jeopardise the whole system??
    john.ath