PDA

View Full Version : Security vulnerabilities fixed in OpenOffice.org 2.4

six7s
17th April 2008, 12:49 AM
email from John McCreesh of OpenOffice:
Security vulnerabilities fixed in OpenOffice.org 2.4

Please note that OpenOffice.org version 2.4, released on 27th March, fixed a number of security vulnerabilities.

To our knowledge, none of these has been exploited; however, in accordance with industry best practice, we recommend all users upgrade to 2.4.

This information has been withheld until now to ensure that all the products derived from the OpenOffice.org codebase have been able to include these security fixes before the public announcement of the vulnerabilities.

For full details of the vulnerabilities fixed, please see our security bulletin http://www.openoffice.org/security/bulletin.html

The OpenOffice.org Security Team

127MB Updates available from: update.services.openoffice.org/ooo/index.html?cid=924260 (http://update.services.openoffice.org/ooo/index.html?cid=924260)
jsiv
17th April 2008, 01:13 PM
But..

But..

I thought..this was unpossible with open source?
six7s
18th April 2008, 02:22 AM
In a binary world there are only two types of applications:
apps with bugs that lead to security vulnerabilities that have been identified and
apps with bugs that lead to security vulnerabilities that are yet to be identified
a_unique_person
18th April 2008, 05:44 AM
All software has bugs.
a_unique_person
18th April 2008, 05:49 AM
All software has bugs.
Rat
18th April 2008, 04:10 PM
I've yet to find any in Freecell, though.
ZouPrime
25th April 2008, 09:12 AM
I've yet to find any in Freecell, though.
"All softwares have bugs", in this context, means "all softwares have exploitable vulnerabilities". It may not be true for softwares coded in higher-generation languages, or developped within a methodology that focus on the elimination of these vulnerabilities (see OpenBSD for a great example), but in general, it is very difficult if not impossible for consumer software to not have these kinds of bugs. Including Freecell. Especially a game such a Freecell, where the coders probably had absolutely zero interest in hunting for buffer overflows.

All software have bugs, but only a few subset of these softwares are popular enough and installed in enough computers out there to be a cost-effective target for malware authors. So in the end, the reason why so many vulnerabilities are found on popular products (such as those from Microsoft, or Linux) isn't because their coders sucks. It's because these products are popular enough for malware authors to spend time and energy finding these vulnerabilities. Nobody is going to spend energy on finding vulnerabilities on products relatively few persons use.