Note: This is an archival copy of Security Sun Alert 201775 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001314.1.
StarOffice 7 Software
StarOffice 6.0 Office Suite
StarOffice 8 Software
6438333, 6438460, 6445987
Date of Workaround Release
Date of Resolved Release
It may be possible for a local or remote user to execute Java Applets which destroy/replace system files, read or send private data, and/or cause additional security issues by inducing a local user to load a specially crafted StarOffice/StarSuite document.
This issue is also described in the following document:
CVE CAN-2006-2199 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2006-2199
This issue can occur in the following releases:
Note: StarOffice 5.x will not be evaluated regarding the potential impact of the issue described in this Sun Alert.
To determine the version of StarOffice installed on a system, the following command can be run (for /<staroffice program dir>/program/bootstraprc):
% cat bootstraprc | grep Product ProductKey=StarOffice 8 ProductPatch=(Product Update 2)
Or using the GUI, do the following (with StarOffice/StarSuite open):
The version is displayed first in the "about" text.
There are no predictable symptoms that would indicate the described issue has been exploited.
To work around the described issue, disable support for Java Applets (for StarOffice/StarSuite) by doing the following:
StarOffice 6 and 7:
In options dialog: Select --> Tools/Options/StarOffice/Security --> uncheck "Enable Applets"
There is no longer a User Interface (UI) for configuring this option in StarOffice 8; the change must be done in configuration files with a text editor. Add the following into your StarOffice settings for (typically) this file "~/.staroffice8/user/registry/data/org/openoffice/Office/Common.xcu":
<node oor:name="Java"> <node oor:name="Applet"> <prop oor:name="Enable" oor:type="xs:boolean"> <value>false</value> </prop> </node> </node>
This issue is addressed in the following releases:
Notes: With the updated versions for StarOffice/StarSuite, support for Java applets in StarOffice will be disabled.
This solution has no attachment