Maliciously crafted Java applets can break out of the sandbox (the security mechanism that runs untrusted code) in OpenOffice versions 1.1.x, and 2.0.x, the company said in a bulletin last week. This could give the malicious software full access to systems, allowing it to read or send private data, and destroy or replace files.
The second hole enables hackers to inject executable code into OpenOffice documents using a macro, which runs when that document is opened. The user is not asked or notified, and the macro has full access to system resources with current user's privileges, again enabling it to read or send private data, and to destroy or replace files.
A buffer overflow vulnerability has also been discovered, by Wade Alcorn of NGSSoftware. The buffer overflow can cause a memory overload and program crash that enables a hacker to attack the affected system.
People can protect their systems from the first vulnerability by disabling support for Java applets within OpenOffice. There are no work-arounds for the macro and buffer overflow vulnerabilities.
Although OpenOffice.org said there are currently no known exploits for the vulnerabilities, it has urged all users of 2.0.x versions prior to 2.0.2 to upgrade to OpenOffice 2.0.3.
Patches for users of OpenOffice 1.1.5 are not available at the moment, but they will be "shortly," the company said.
The vulnerabilities also affect StarOffice versions 6.x, 7.x and 8.x., as well as StarSuite versions 7.x and 8.x, according to security company Secunia. StarOffice and StarSuite are Sun's commercial office software offerings, based on the same code as the OpenOffice suite. Patches are available for StarOffice and StarSuite versions 7.x and 8.x.
OpenOffice.org said on Tuesday that its suite could become more of a target for hackers as it grows in popularity, but it claimed that its structure enabled it to react faster to threats than proprietary software vendors such as Microsoft.
"I believe any software, as it becomes more popular, could be more of a target for hackers," said Cristian Driga, co-leader of OpenOffice.org's marketing project. "But it depends how quickly organizations react. With the open community, we have so many users who report any problem discovered, and our developers react very quickly. We have a faster patch time than Microsoft."
Driga did not believe that the disclosure of the vulnerabilities would damage OpenOffice's reputation.
"We have a security team that takes care of vulnerabilities 24 hours a day--and the open-source community, too. Our speed of response would prevent a decrease in popularity," Driga said.
Tom Espiner of ZDNet UK reported from London.