TTCSIRT-056.103017: TT-CSIRT Advisory – OpenOffice Security Updates
Multiple vulnerabilities have been discovered in OpenOffice, which could allow for arbitrary code execution. OpenOffice is an open-source productivity software suite that contains a word processor, spreadsheet application, presentation application, drawing application, formula editor, and a database management application.
Details regarding these vulnerabilities are as below:
a) A vulnerability in the OpenOffice Writer DOC file parser, specifically in the WW8Fonts Constructor, allows attackers to craft malicious documents that cause denial of service (memory corruption and application crash) potentially resulting in arbitrary code execution – (CVE-2017-9806).
b) A vulnerability in OpenOffice’s PPT file parser, specifically in PPTStyleSheet, allows attackers to craft malicious documents that cause denial of service (memory corruption and application crash) potentially resulting in arbitrary code execution – (CVE-2017-12607).
c) A vulnerability in OpenOffice Writer DOC file parser, specifically in ImportOldFormatStyles, allows attackers to craft malicious documents that cause denial of service (memory corruption and application crash) potentially resulting in arbitrary code execution – (CVE-2017-12608).
Successfully exploiting these vulnerabilities could allow for arbitrary code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation could result in a denial-of-service condition.
Further information on these vulnerabilities and how they can be fixed can be found at https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-apache-openoffice-could-allow-for-arbitrary-code-execution_2017-105/ |