An OpenOffice.org vulnerability [LWN.net]

April 13, 2005

This article was contributed by Joe 'Zonker' Brockmeier.

Many OpenOffice.org users have felt secure in using OpenOffice.org to open Microsoft Office files, assuming that the malware that attacks Microsoft Office would not affect the OpenOffice.org suite.

That may well be true, but it looks like the OpenOffice.org suite has a problem of its own. The OpenOffice.org suite has a vulnerability in its handling of .doc files. The flaw was discovered at the end of March, and was reported to the full-disclosure mailing list on Monday. The vulnerability affects the 1.1.4 and 2.0 series of the OpenOffice.org suite. It's unclear whether the vulnerability affects StarOffice, but it seems likely that it would.

According to the Secunia advisory the problem is a boundary error in the "StgCompObjStream::Load()" function used to process .doc files. Theoretically, this vulnerability could be exploited to execute code in almost all versions of OpenOffice.org if a user opens a specially-crafted document. The vulnerability has been labeled "moderately critical" by Secunia, because it could allow a system to be compromised, but requires user interaction.

We touched base with OpenOffice.org community manager Louis Suarez-Potts about the bug. According to Suarez-Potts, work "began immediately" when the vulnerability was discovered, and the project is testing the patch on all platforms and languages supported by the OpenOffice.org suite.

At this time, Suarez-Potts says that the project is not aware of any real-world exploits of this vulnerability. The vulnerability exists on all platforms, but he said that he has "no idea" if it would be possible to craft a document to do something harmful on all platforms, or if it would only be possible to target one platform with a malformed .doc file.

It does seem likely that the OpenOffice.org project will be targeted more frequently by malware authors as it gains in popularity, though Suarez-Potts says that OpenOffice.org is "not as fun a target as MSFT."

This should serve as a cautionary tale for users of the OpenOffice.org suite. While this particular vulnerability was discovered before any exploits appeared in the wild, it's possible that exploits for future vulnerabilities could appear before the first report. Even though OpenOffice.org has a much better track record than Microsoft Office, users should exercise caution when opening any document from an untrusted source.

The LWN vulnerability database entry for this bug will track updates as they become available.

(Log in to post comments)

An OpenOffice.org vulnerability

Posted Apr 14, 2005 13:06 UTC (Thu) by mrshiny (subscriber, #4266) [Link]

It should be noted that most Office vulnerabilities regarding opening word documents stem from Macro Viruses, rather than malformed documents. MS Word is terrible at handling corrupted documents; where I used to work we had a product that would generate Word documents. As you can imagine, during development we'd often generate documents that were corrupt in some way; often several versions of Word would crash if they opened the document. The file format is so complicated that I'm not surprised that OOo has a bug or so. Thankfully it's being addressed and hopefully this sort of problem will happen less often. Maybe some one should write a tool to feed OOo randomly generated corrupt docs? That'd be a good way to test its robustness.

An OpenOffice.org vulnerability

Posted Apr 14, 2005 20:55 UTC (Thu) by joey (subscriber, #328) [Link]

I think it's only fair to point out that openoffice is not alone in having security holes that can be exploited by malicious documents. Similar security holes lately have affected sylpheed, xloadimage, lesstif, libxpm, gv, and of course mozilla.

The cautionary tale should really be that any program that processes data from an untrusted source, even if it's something as simple as an xpm image, has the potential to be exploited due to bugs in the code.