CVE-2014-3575

OpenOffice Targeted Data Exposure Using Crafted OLE Objects

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:

• Apache OpenOffice 4.1.0 and older on Windows.
• OpenOffice.org versions are also affected.

Description:

The exposure exploits the way OLE previews are generated to embed arbitrary file data into a specially crafted document when it is opened. Data exposure is possible if the updated document is distributed to other parties.

Mitigation

Apache OpenOffice users are advised to upgrade to Apache OpenOffice 4.1.1. Users who are unable to upgrade immediately should be cautious when they are asked to "Update Links" for untrusted documents.

Credits

The Apache OpenOffice security team credits Open-Xchange for reporting this flaw.

---

Security Home -> Bulletin -> CVE-2014-3575