[<prev] [next>] [day] [month] [year] [list]
Message-ID: <53F5EDF8.6070200@apache.org>
Date: Thu, 21 Aug 2014 15:02:48 +0200
From: Herbert Duerr <hdu@...che.org>
To: announce@...noffice.apache.org, dev@...noffice.apache.org,
users@...noffice.apache.org, full-disclosure@...ts.grok.org.uk,
bugtraq@...urityfocus.com
Subject: CVE-2014-3575:OpenOffice Targeted Data Exposure Using Crafted OLE
Objects
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2014-3575
OpenOffice Targeted Data Exposure Using Crafted OLE Objects
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache OpenOffice 4.1.0 and older on Windows.
OpenOffice.org versions are also affected.
Description:
The exposure exploits the way OLE previews are generated to embed arbitrary file data into a specially crafted document when it is opened. Data exposure is possible if the updated document is distributed to other parties.
Mitigation:
Apache OpenOffice users are advised to upgrade to Apache OpenOffice 4.1.1. Users who are unable to upgrade immediately should be cautious when they are asked to "Update Links" for untrusted documents.
Credits:
The Apache OpenOffice security team credits Open-Xchange for reporting this flaw.
Herbert Dürr
Member of the Apache OpenOffice Security Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Cygwin)
iQIcBAEBAgAGBQJT9e3wAAoJEDfnuKc+PLjJC8gP/2ZLgMRO9r2YyAbEWl6iA1gP
eVtq6I6O5W9a0ov1zGpbBaPVqZGMCGPDgsdTBUmm2FRAY0U0Yz0bflpGcSUdIpJ/
ULMp6TLfgb24PpiySOQHRvz/6QDsTTgkEyKClkM3THzvNXh6mSCExaDsDv8fseaJ
y1tvTRHrHLeG+lZKPwDnIvDYDSONYNksK/e7gcF5rjNZpmcl6F4gZmMcm1j1TP1a
HbsgOzMpC+A0X26VfuDapYBT6mjeITS6+ZReAcD3sPul95UK/BQ6qU29dvDY7uYg
7U9vzr2155uyv9qUx0UqE2XRKIHfUEhhxHZqFtTVlllkv34E1PNNYdhzUUYDuo4w
W4+GhrebUaArIeQNd1KLCgvnQ0O6ykegV/Rc+OIgG/8DOyC18SS3r11nLs0L0pDe
WmBfOii2OaS/d0RrOdHFsNpscSL1dRaGOXLDD5lxm2VPp6D3TgCM9UgNnBzF4u3S
4lKid1JlxswFbOOT0hNrX7V/kwx9Z2DfDzw8EmjLZGmiH1W3u99EZxmIlKZQRwrg
3enbMuSADsrWSjnxxmwlJD6iT0AaBEJ30doxqnfftIbNt4+r45fSPRPWYriQZ00j
7a+CrKLfBS9ctuXChldWGtgbh4Pkq3RxsVhAw7aiIQdII53v8086A/jzVU0zYNN8
AUxJRYsI1SGTlytbeP0o
=2Y3B
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists