Wednesday, February 04, 2009

OpenOffice Installs Insecure Java Version

Brian Krebs writes on Security Fix:

An alert reader let me know that the latest version of OpenOffice, the open source alternative to the Microsoft Office productivity suite, also installs a very old, insecure version of Java.

Users who accept the default installation options for OpenOffice 3.0.1 also will get Java 6 Update 7, a version of Java that Sun Microsystems released last spring (the latest version is Java 6 Update 12).

This is notable because not only could attackers target security vulnerabilities that were fixed in subsequent versions of Java, but Java 6 Update 7 was released prior to Sun's inclusion of a feature known as "secure static versioning," which is intended to prevent Web sites from invoking even older versions of Java that may be present on the user's system.

More here.

0 Comments:

Post a Comment

<< Home