The open-source provider of business applications released OpenOffice.org 2.3.1, which patches a vulnerability in HSQLDB, the default database engine shipped with version 2 of the application, according to an advisory released by the group.
OpenOffice.org 2.3 was released last September.
John McCreesh, OpenOffice.org marketing program lead, told SCMagazineUS.com today that he is not aware of public exploitation of the flaw. He added that the surge in client-side attacks is a result of attackers exploiting the familiarity of business productivity applications.
“The more an attacker can hide an attack inside something familiar, the more likely people are to fall for it. So, if you're used to receiving 50 work emails a day with Microsoft Word attachments, then you'll probably open the next one to land in your inbox without a second's hesitation,” he said. “We're doing what we can – for example, we've recently raised the default level of security within OpenOffice.org – but at the end of the day, it's down to education, education, education.”
FrSIRT, the French Security Incident Response Team, rated the flaw “critical,” and noted that an attacker could use social engineering to trick an end-user into opening a malicious document.
Amol Sarwate, head of the vulnerability research lab at Qualys, told SCMagazineUS.com today that alternative productivity suites, such as OpenOffice.org, are not widely deployed in the corporate world, but administrators should be quick to defend against arbitrary code execution attacks.
“I would say that there is a growing trend of businesses trying out OpenOffice.org, but the predominant office software is still coming from Microsoft. But if [administrators] have OpenOffice.org at their companies, they should take this vulnerability seriously since it allows arbitrary code to go on a user's machine,” he said. “This is an ongoing trend that we've been observing in client-side applications – basically [Microsoft] Word documents and spreadsheets – and this falls in line with the trend of attacking those applications to get at users' PCs.”