Open Source

Office suite applications see their fair share of vulnerabilities

Vulnerabilities in office suite applications seem to be the name of the game this week in the security world, affecting versions of both OpenOffice and Microsoft Office Suite. John McCormick details these threats and tells you which ones are fixed and which still need patches.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

OpenOffice.org has patched its vulnerabilities, but threats related to Microsoft Office Suite and Outlook are still out there.

Details

Vulnerabilities in office suite applications seem to be the name of the game this week in the security world. Some versions of OpenOffice (the free edition of Sun Microsystems' StarOffice that you can download from Download.com) contain a highly critical threat (CAN-2005-0941).

The threat involves a buffer overflow vulnerability related to how OpenOffice 1.1.x opens .doc files. OpenOffice.org has released a patch for this vulnerability. For more details, see this Secunia report.

In addition, a vulnerability has surfaced in the Red Hat version of OpenOffice, which allows an attacker to compromise a user's system. Red Hat has released a patch for this flaw. For more information, see this Secunia report.

To stay on top of OpenOffice vulnerabilities, check out Secunia's vulnerability summary pages for OpenOffice 1.0.x and OpenOffice 1.1.x. A few other threats have also affected OpenOffice, but Secunia reports that all have received patches.

However, we can't say the same for Microsoft Office, which sports at least one highly critical but unpatched threat (CAN-2005-0944) that affects a number of Office versions. This threat stems from a vulnerability in the Microsoft Jet Database—specifically Msjet40.dll. The original warning came from HexView.

Secunia has also reported a long-unpatched, moderately critical vulnerability present in both Microsoft Word and Microsoft Outlook. To stay on top of this issue, I recommend Office users and managers bookmark Secunia's vulnerability summary page for Microsoft Office 2003 Professional Edition.

Applicability

The OpenOffice buffer overflow vulnerability affects OpenOffice 1.1.x. The Red Hat version-specific vulnerability affects these versions of Red Hat Enterprise Linux: AS 3, AS 4, ES 3, ES 4, WS 3, and WS 4.

The Jet Database vulnerability affects these versions of Microsoft Windows: 2000 Advanced Server, 2000 Datacenter Server, 2000 Professional Edition, 2000 Server, XP Home Edition, and XP Professional Edition. Also affected are Microsoft Access 2000, 2002, and 2003 as well as Microsoft Office 2000, 2003 Professional Edition, 2003 Small Business Edition, and 2003 Standard Edition.

The unpatched Word and Outlook threat affects these versions of Microsoft Office: 2000, 2003 Professional Edition, 2003 Small Business Edition, 2003 Standard Edition, and 2003 Student and Teacher Edition. This threat also affects Microsoft Outlook 2000, Microsoft Outlook 2003, Microsoft Word 2000, and Microsoft Works Suite 2003.

Risk level - Critical

According to Secunia, both the OpenOffice 1.1.x threat and the Jet Database vulnerability are "highly critical." However, I consider them to be only "critical."

Fix

Patches are available for the OpenOffice threats, which you can download from the vendors' Web sites. For the patch for the OpenOffice 1.1.x threat, visit the OpenOffice Web site. For the patch for Red Hat-specific OpenOffice vulnerability, check out Red Hat's Web site.

No patch is currently available for the Jet Database threat. As a workaround, avoid opening untrusted .mdb database files.

In addition, no patch is currently available for the Word and Outlook threat either. But you can mitigate or completely eliminate the threat by not using Word to edit e-mail documents.

Final word

OK, I understand the reasons behind the hype about the Firefox browser. Until the recent slew of vulnerabilities, it looked for a brief time as if it really were significantly more secure than Internet Explorer.

Firefox is still a great choice for power users and other individuals, but it hasn't caught on much in big offices simply because IE is free and already installed. There just isn't enough incentive to install and support hundreds or thousands of users with a new browser as opposed to properly locking down the latest version of IE 6.

But I wonder why there's been so little user-driven hype over OpenOffice? Not only is it quite good—in fact, I use it daily—but it's also free, and Microsoft Office certainly isn't! For that reason, I often recommend OpenOffice to companies simply on a cost-saving basis.

While OpenOffice is a stripped-down version of Sun's StarOffice, I've never missed any of the fonts or other StarOffice components left out of OpenOffice. And neither have most of my client's users.


Also watch for …

  • Now, for your weekly dose of irony, a small California ISP is suing Kraft Foods over violations of the CAN-SPAM Act and California's anti-spam law. The ISP reported a continuing stream of 8,500 advertising e-mails for Gevalia coffee over the past year. The ISP alleges that the e-mails contained fake headers, making them appear to come from fictitious individuals—a clear violation of the laws if true.
    The irony, of course, is that SPAM is a trademark of Hormel, not Kraft. With fines based on a per-message toll, the ISP is suing for millions of dollars, which should be enough to pay for a good espresso machine and a lifetime supply of quality beans for the entire ISP staff.
  • If you needed any proof that today's hackers aren't always up to the same standards as when we used PEEK and POKE and perused assembly language listings, check out The Inquirer.net's report on the self-proclaimed "baddest hacker in town," who got in a snit in a chat room and threatened the moderator, demanding the moderator's IP address. The moderator responded with some information that apparently included IP address 127.0.0.1. You got it—the "baddest" hacker ended up wiping his own hard drives.
  • A News.com report has vindicated my previous recommendations to smash and burn hard drives before discarding computers. Confirming what I've always believed, News.com reports that the mere wiping of hard drives with software isn't enough unless you are very, very careful. It simply costs more to wipe most drives properly than a used drive is worth, so drill them or use them as secondary drives in new equipment.
  • RealNetworks has released patches for critical vulnerabilities in its media players. Discovered by Piotr Bania, the threat (CAN-2005-0755) received a "highly critical" rating from Secunia because it can allow remote system access. This vulnerability affects several versions of RealPlayer, Helix Player, and RealOne Player. There's been some confusion over this threat due to another apparently similar threat announced at the beginning of April. So, if this might affect you, check to make sure you have the latest patches.
  • Online stock broker Ameritrade has notified 200,000 customers that it has lost backup tapes containing account information. Unfortunately—and incredibly—the company apparently didn't take steps to encrypt the tapes.

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.

Editor's Picks