Users of the OpenOffice.org suite will be glad to hear that three vulnerabilities
have recently been patched
by the OO.org team. The security flaws, which stem from Java applets, allow a malicious piece of code to escape the sandbox that they normally run under to prevent compromise. It can happen by invoking a macro that opens when an infected document is opened, without the user even being aware. The flaws affect more than just OpenOffice as well:
The vulnerabilities also affect StarOffice versions 6.x, 7.x and 8.x., as well as StarSuite versions 7.x and 8.x, according to security company Secunia. StarOffice and StarSuite are Sun's commercial office software offerings, based on the same code as the OpenOffice suite. Patches are available for StarOffice and StarSuite versions 7.x and 8.x.
No known infections are present in the wild and OpenOffice.org says they haven't received reports of compromise, but that anyone using the 1.x or 2.0.0/2.0.1 versions should update. Those using 2.0.2 or 2.0.3 are unaffected. The patch will fix the 2.x versions if you are not ready to upgrade to 2.0.3, but will not yet work on 1.1.5. The OO.org team mentioned the flaws being fixed with their 2.0.3 release, and said standalone patches would be made available.