Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter, delivered each Tuesday!

OpenOffice.org has patched its vulnerabilities, but threats
related to Microsoft Office Suite and Outlook are still out there.

Details

Vulnerabilities in office suite applications seem to be the
name of the game this week in the security world. Some versions of OpenOffice (the free edition of Sun
Microsystems’ StarOffice that you can download from Download.com)
contain a highly critical threat (CAN-2005-0941).

The threat involves a buffer overflow vulnerability related
to how OpenOffice 1.1.x opens
.doc files. OpenOffice.org has released a patch for this vulnerability. For
more details, see this Secunia report.

In addition, a vulnerability has surfaced in the Red Hat
version of OpenOffice, which allows an attacker to compromise a user’s system.
Red Hat has released a patch for this flaw. For more information, see this Secunia report.

To stay on top of OpenOffice vulnerabilities, check out
Secunia’s vulnerability summary pages for OpenOffice 1.0.x and OpenOffice 1.1.x. A few other threats have
also affected OpenOffice, but Secunia reports that all have received patches.

However, we can’t say the same for Microsoft Office, which sports
at least one highly critical but unpatched threat (CAN-2005-0944)
that affects a number of Office versions. This threat stems from a
vulnerability in the Microsoft Jet Database—specifically Msjet40.dll. The
original warning came
from HexView.

Secunia has also reported a long-unpatched, moderately critical
vulnerability present in both Microsoft Word and Microsoft Outlook. To stay
on top of this issue, I recommend Office users and managers bookmark Secunia’s
vulnerability summary page for Microsoft
Office 2003 Professional Edition.

Applicability

The OpenOffice buffer overflow vulnerability affects
OpenOffice 1.1.x. The Red Hat version-specific vulnerability affects these
versions of Red Hat Enterprise Linux: AS 3, AS 4, ES 3, ES 4, WS 3, and WS 4.

The Jet Database vulnerability affects these versions of Microsoft
Windows: 2000 Advanced Server, 2000 Datacenter Server, 2000 Professional
Edition, 2000 Server, XP Home Edition, and XP Professional Edition. Also
affected are Microsoft Access 2000, 2002, and 2003 as well as Microsoft Office
2000, 2003 Professional Edition, 2003 Small Business Edition, and 2003 Standard
Edition.

The unpatched Word and Outlook threat affects these versions
of Microsoft Office: 2000, 2003 Professional Edition, 2003 Small Business
Edition, 2003 Standard Edition, and 2003 Student and Teacher Edition. This
threat also affects Microsoft Outlook 2000, Microsoft Outlook 2003, Microsoft
Word 2000, and Microsoft Works Suite 2003.

Risk level
– Critical

According to Secunia, both the OpenOffice 1.1.x threat and the
Jet Database vulnerability are “highly critical.” However, I consider
them to be only “critical.”

Fix

Patches are available for the OpenOffice threats, which you
can download from the vendors’ Web sites. For the patch for the OpenOffice
1.1.x threat, visit
the OpenOffice Web site. For the patch for Red Hat-specific OpenOffice
vulnerability, check
out Red Hat’s Web site.

No patch is currently available for the Jet Database threat.
As a workaround, avoid opening untrusted .mdb database files.

In addition, no patch is currently available for the Word
and Outlook threat either. But you can mitigate or completely eliminate the
threat by not using Word to edit e-mail documents.

Final word

OK, I understand the reasons behind the hype about the
Firefox browser. Until the recent slew of vulnerabilities, it looked for a
brief time as if it really were significantly more secure than Internet Explorer.

Firefox is still a great choice for power users and other
individuals, but it hasn’t caught on much in big offices simply because IE is
free and already installed. There just isn’t enough incentive to install and
support hundreds or thousands of users with a new browser as opposed to
properly locking down the latest version of IE 6.

But I wonder why there’s been so little user-driven hype
over OpenOffice? Not only is it quite good—in fact, I use it daily—but it’s
also free, and Microsoft Office certainly isn’t! For that reason, I often
recommend OpenOffice to companies simply on a cost-saving basis.

While OpenOffice is a stripped-down version of Sun’s
StarOffice, I’ve never missed any of the fonts or other StarOffice components
left out of OpenOffice. And neither have most of my client’s users.

Also watch for …

  • Now,
    for your weekly dose of irony, a small California ISP is suing
    Kraft Foods     over violations of the CAN-SPAM Act and California’s
    anti-spam law. The ISP reported a continuing stream of 8,500 advertising
    e-mails for Gevalia coffee over the past year. The ISP alleges that the
    e-mails contained fake headers, making them appear to come from fictitious
    individuals—a clear violation of the laws if true.
    The irony, of course, is that SPAM is a trademark of Hormel, not Kraft.
    With fines based on a per-message toll, the ISP is suing for millions of
    dollars, which should be enough to pay for a good espresso machine and a
    lifetime supply of quality beans for the entire ISP staff.
  • If you
    needed any proof that today’s hackers aren’t always up to the same
    standards as when we used PEEK and POKE and perused assembly language
    listings, check out The
    Inquirer.net’s report     on the self-proclaimed “baddest hacker in
    town,” who got in a snit in a chat room and threatened the moderator,
    demanding the moderator’s IP address. The moderator responded with some
    information that apparently included IP address 127.0.0.1. You got it—the
    “baddest” hacker ended up wiping his own hard drives.
  • A News.com
    report     has vindicated my previous recommendations to smash and burn
    hard drives before discarding computers. Confirming what I’ve always
    believed, News.com reports that the mere wiping of hard drives with
    software isn’t enough unless you are very, very careful. It simply costs
    more to wipe most drives properly than a used drive is worth, so drill
    them or use them as secondary drives in new equipment.
  • RealNetworks
    has released patches for critical vulnerabilities in its media players. Discovered by
    Piotr Bania    , the threat (CAN-2005-0755)
    received a “highly
    critical” rating from Secunia     because it can allow remote system
    access. This vulnerability affects several versions of RealPlayer, Helix
    Player, and RealOne Player. There’s been some confusion over this threat due
    to another apparently similar threat announced at the beginning of April. So,
    if this might affect you, check to make sure you have the latest patches.
  • Online
    stock broker Ameritrade
    has notified 200,000 customers     that it has lost backup tapes containing
    account information. Unfortunately—and incredibly—the company apparently
    didn’t take steps to encrypt the tapes.

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.