Security Architecture, Application security, Endpoint/Device Security, Endpoint/Device Security, Network Security, Security Strategy, Plan, Budget, Vulnerability Management, Patch/Configuration Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

OpenOffice.org releases update to fix database vulnerability

OpenOffice.org released a new version of its productivity suite this week, fixing a flaw that could allow arbitrary code execution attacks.

The open-source provider of business applications released OpenOffice.org 2.3.1, which patches a vulnerability in HSQLDB, the default database engine shipped with version 2 of the application, according to an advisory released by the group.

The flaw is caused by an unspecified error in the database. It can be exploited to execute arbitrary static JavaScript via a specially crafted document, according to Secunia, a Denmark-based vulnerability monitoring organization that ranked the flaw as “highly critical.”

OpenOffice.org 2.3 was released last September.

John McCreesh, OpenOffice.org marketing program lead, told SCMagazineUS.com today that he is not aware of public exploitation of the flaw. He added that the surge in client-side attacks is a result of attackers exploiting the familiarity of business productivity applications.

“The more an attacker can hide an attack inside something familiar, the more likely people are to fall for it. So, if you're used to receiving 50 work emails a day with Microsoft Word attachments, then you'll probably open the next one to land in your inbox without a second's hesitation,” he said. “We're doing what we can – for example, we've recently raised the default level of security within OpenOffice.org – but at the end of the day, it's down to education, education, education.”

FrSIRT, the French Security Incident Response Team, rated the flaw “critical,” and noted that an attacker could use social engineering to trick an end-user into opening a malicious document.

Amol Sarwate, head of the vulnerability research lab at Qualys, told SCMagazineUS.com today that alternative productivity suites, such as OpenOffice.org, are not widely deployed in the corporate world, but administrators should be quick to defend against arbitrary code execution attacks.

“I would say that there is a growing trend of businesses trying out OpenOffice.org, but the predominant office software is still coming from Microsoft. But if [administrators] have OpenOffice.org at their companies, they should take this vulnerability seriously since it allows arbitrary code to go on a user's machine,” he said. “This is an ongoing trend that we've been observing in client-side applications – basically [Microsoft] Word documents and spreadsheets – and this falls in line with the trend of attacking those applications to get at users' PCs.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.