SQL Queries Make Staroffice Vulnerable

Dec 11, 2007

Security researchers Secunia have discovered a vulnerability in StarOffice that gives attackers the ability to execute arbitrary code. The developers of the free counterpart, OpenOffice, removed the problem last week.

The cause of the vulnerability with the CVE ID 2007-4575 is erroneous security restrictions in the integrated HSQLDB database which allows the execution of SQL queries with malevolent Java code with root privileges. An attacker needs to trick the user into opening a carefully crafted document for the exploit to work.

The vulnerability affects StarOffice 1.0.8.9 and older versions of the application. OpenOffice is also affected, but its developers published version 2.3.1 last week to fix the bug. A fix is not currently available for StarOffice. Uses should only open documents from trusted sources. Secunia says that the bug is critical.

Related content

comments powered by Disqus

News