OpenOffice Confirms Buffer Overflow Flaw

Users of the open-source office desktop productivity suite are at risk of code execution attacks. says a patch will be available in the next two days.

The community on Tuesday confirmed the existence of a potentially serious heap-overflow vulnerability in its freely distributed office productivity suite.

The flaw affects OpenOffice Version 1.1.4 and prior and OpenOffice Version 2.0-dev and prior and could put users at risk of code execution attacks. community manager Louis Suarez-Potts confirmed that the vulnerability was discovered in the "StgCompObjStream::Load()" function and occurs when handling a specially crafted ".doc" file.

This could potentially be exploited by attackers to compromise a vulnerable system by convincing a user to open a malicious document with an unpatched application.

"We learned of this March 31 and will be working on it immediately. A patch is ready but it is still going through [quality assurance] testing," Suarez-Potts told The update is expected to be available for general download within two days.

/zimages/4/28571.gifClick here to read more about buffer overflows in Cyrus Mail Server.

The office productivity suite is compatible with Microsoft Office files and includes a word processor, spreadsheet, presentation graphics and drawing program, and provides access to popular databases.

/zimages/4/28571.gifTo read more about OpenOffice 2.0, click here. is based on the code from an older version of StarOffice that was acquired and made open source by Sun Microsystems Inc.

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.