Posted on 04/14/2005 4:35:53 PM PDT by general_re
The 'relatively serious' flaw could allow remote execution of malicious code on computers running OpenOffice. A patch is said to be imminent
OpenOffice.org has confirmed a buffer overflow issue that could allow remote attacks.
The problem in its freely distributed productivity applications has been fixed, the organisation said late on Tuesday. Representatives said the group hoped to release a patch within the following 48 hours.
The flaw, first discovered in late March, according to postings on the group's Web site, is present in OpenOffice Version 1.1.4 and the OpenOffice Version 2.0 beta release of the applications, as well as in earlier versions of those products.
According to the OpenOffice site, the flaw was found in one specific function of the software and could be exploited by files designed to take advantage of the vulnerability. OpenOffice.org said the flaw may have allowed for remote execution of malicious code on computers running the affected OpenOffice applications.
Security researchers following the issue rated the flaw as relatively serious, with Secunia labeling the vulnerability as "moderately critical," its rating for issues that can compromise systems but that require user interaction in order to be exploited.
The flaw has now been effectively addressed by eliminating coding bugs that created the vulnerability, according to members of the OpenOffice community, the group of open-source software developers that contributes to the expansion of the software.
In an e-mail sent to ZDNet UK's sister site News.com, Louis Suarez-Potts, community manager for OpenOffice, said that work on a fix for the buffer overflow vulnerability was completed on Tuesday. Suarez-Potts said OpenOffice is testing the security update and plans to distribute the remedy by Wednesday at the latest. Future versions of the group's software will include the fix, he said.
The ability of OpenOffice software users to fix problems on the fly has been highlighted by the group as one of the advantages of its applications. The open-source development model allows collaborators to view code and submit changes such as bug fixes or enhancements. Rival Microsoft typically issues security patch updates for its Windows products once a month.
You should use Microsoft Word instead. That's never had any security holes :-)
The boys at Secunia are really doing a great service by looking for these security exploits. Good job, guys!
A fix out in 48 hours.
Microsoft doesn't even get their first denial out within 48 hours!
[ crickets chirping ]
48 hours from the article being published, not 48 hours from when it was discovered.
Buffer overflow exploit? Why the heck does a word processor need a network listener?
You don't need network access for a buffer overflow - the article isn't particularly clear, but this one is exploited by loading a maliciously constructed document. No need for remote access to smash the stack. Still have to get someone to open the document, of course, but that's a social engineering exercise.
Ping
Thanks for info.
One last bump before this fades away...
Does anyone know when 2.0 will be released? I'm using 1.1 right now and don't want to install another one until then.
I'm stumped as to why buffer overruns are still a problem, what am I missing?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.