Tech
Code execution flaws haunt OpenOffice
OpenOffice.org has shipped a new version of the open-source desktop productivity suite to patch a pair of highly-critical vulnerabilities that could expose users to arbitrary code execution attacks.
![ryan-naraine.jpg](https://www.zdnet.com/a/img/resize/58705b1ab848cb0209d7d7d504dffaab176d93aa/2014/07/22/4b4e2273-1175-11e4-9732-00505685119a/ryan-naraine.jpg?auto=webp&fit=crop&frame=1&height=192&width=192)
![OpenOffice security vulnerabilities](https://www.zdnet.com/a/img/2014/10/04/38bc685a-4b64-11e4-b6a0-d4ae52e95e57/openofficelogo.jpg)
The flaws, which affect all versions prior to OpenOffice.org 2.4.2, could be exploited via manipulated WMF and EMF files in StarOffice or StarSuite documents.
The skinny:
- CVE-2008-2237: A security vulnerability with the way OpenOffice 2.x process WMF files may allow a remote unprivileged user who provides a StarOffice/StarSuite document that is opened by a local user to execute arbitrary commands on the system with the privileges of the user running StarOffice/StarSuite. No working exploit is known right now. There is no workaround.
- CVE-2008-2238: A security vulnerability with the way OpenOffice 2.x process EMF files may allow a remote unprivileged user who provides a StarOffice/StarSuite document that is opened by a local user to execute arbitrary commands on the system with the privileges of the user running StarOffice/StarSuite. No working exploit is known right now. There is no workaround.
OpenOffice.org described the bugs as file-handling heap overflows. Patches are available in OpenOffice 2.4.2.
OpenOffice 3.0 is not affected by these vulnerabilities.