OpenOffice.org Released Update to Settle Database Vulnerability
OpenOffice.org recently released a latest version of its productivity suite which can fix a flaw that can permit arbitrary code execution attacks.
The flaw occurs because of inefficient enforcing of security restrictions when passing SQL queries to the HSQLDB database engine. This can lead to calling of arbitrary static Java methods by deceiving the user into executing a specially crafted SQL query contained within a database document.
Secunia ranks this flaw as "highly vulnerable". OpenOffice 2.3 was launched in last September 2007 just before the security researchers discovered flaws in OpenOffice 2.0.4 and previous versions. Through these vulnerabilities and harmfully-designed TIFF files, hackers can take control of user's system.
OpenOffice.org Marketing Program Lead, John McCreesh, said that he has no knowledge about the public exploitation of the flaw. He also informed that the increase in client side attacks is because of hackers who consistently exploit the familiarity of business productivity applications, as told to SCMagazineUS.com on December 6, 2007.
The French Security Incident Response Team (FrSIRT) also called this flaw "critical" and found that a hacker can make use of social engineering to deceive an end user into opening a harmful document.
Head of the vulnerability research lab at Qualys, Amol Sarwate, said that alternative productive suites like OpenOffice.org are not efficiently distributed in the corporate world, but he also added that the administrators should be careful enough to protect against arbitrary code execution attacks, as told to SCMagazineUS.com on December 6, 2007.
Sarwate added that no doubt that maximum number of business organizations is trying their hands at OpenOffice.org but the ruling office software is still coming from Microsoft. And if administrators possess OpenOffice.org at their companies, they should treat it seriously as it permits arbitrary code to go on a user's machine.
Moreover, this is seem to be a prevailing trend that has been observed in client side applications, specially in Microsoft spreadsheets and Word document, and this also coincides with trend of targeting those applications to get at user's PCs.
As per Secunia, so far this year, OpenOffice.org has settled around 5 security holes. Presently, OpenOffice.org is shooting for March 2008 delivery date for the next important upgrade, 2.4.
» SPAMfighter News - 19-12-2007