Wednesday, February 04, 2009

OpenOffice Installs Insecure Java Version

Brian Krebs writes on Security Fix:

An alert reader let me know that the latest version of OpenOffice, the open source alternative to the Microsoft Office productivity suite, also installs a very old, insecure version of Java.

Users who accept the default installation options for OpenOffice 3.0.1 also will get Java 6 Update 7, a version of Java that Sun Microsystems released last spring (the latest version is Java 6 Update 12).

This is notable because not only could attackers target security vulnerabilities that were fixed in subsequent versions of Java, but Java 6 Update 7 was released prior to Sun's inclusion of a feature known as "secure static versioning," which is intended to prevent Web sites from invoking even older versions of Java that may be present on the user's system.

More here.


Post a Comment

<< Home