[Security-team] [Fwd: [SA20867] OpenOffice Multiple Vulnerabilities]
Alexey Borovskoy
=?iso-8859-1?q?alexey=2Eborovskoy_=CE=C1_gmail=2Ecom?=
Сб Июл 8 12:00:50 MSD 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TITLE:
OpenOffice Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA20867
VERIFY ADVISORY:
http://secunia.com/advisories/20867/
CRITICAL:
Moderately critical
IMPACT:
System access
WHERE:
>From remote
SOFTWARE:
OpenOffice.org 2.x
http://secunia.com/product/6157/
OpenOffice 1.1.x
http://secunia.com/product/302/
DESCRIPTION:
Some vulnerabilities have been reported in OpenOffice, which can be
exploited by malicious people to compromise a user's system.
1) An error exists within the handling of certain Java applets in
OpenOffice documents. This can exploited by malicious Java applets to
bypass sandbox restrictions and gain full access to system resources
with current user privileges.
2) An error exists within the handling of Macros embedded in
documents. This can be exploited to execute arbitrary Basic code with
full access to system resources without any user notification, when a
malicious document is opened.
3) A boundary error exists within the handling of certain XML
documents. This can be exploited to cause a buffer overflow and may
allow arbitrary code execution when a specially crafted XML document
is opened.
The vulnerabilities have been reported in version 1.1.x and 2.0.x.
SOLUTION:
Update to the fixed version or apply patches when available.
OpenOffice 2.0.x:
Update to version 2.0.3.
http://download.openoffice.org/2.0.3/index.html
OpenOffice 1.1.x:
A patch for version 1.1.5 will reportedly be released shortly. The
vendor recommends disabling Java Applets as a workaround for
vulnerability #1.
PROVIDED AND/OR DISCOVERED BY:
Reported by vendor.
ORIGINAL ADVISORY:
http://www.openoffice.org/security/bulletin-20060629.html
- --
Алексей.
GPG key fingerprint
949B BC0E 2C44 7528 4F63 2753 E37A 9E3F 11F3 BDE1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFEr2Yw43qePxHzveERAjRcAKCH/reGdd40ikCHRM+D/zO4tqrXkACglXCa
GqYuUA821DXDWzjDEcXzWZ8=
=FxF9
-----END PGP SIGNATURE-----
Подробная информация о списке рассылки Security-team