|
Vulnerability StarOffice Affected Sun StarOffice Description Kurt Seifried found following. StarOffice 5.2, downloaded from Sun. Simply insert a graphic, for filename give the URL. Kurt simply used a gif from one of my websites, and watched the logfile while loading the document/etc. HTML document: it phones home, no warning, not unexpected. StarWriter document (version 5), it phones home, no warning. StarSpreadsheet (name?), it phones home, no warning. StarImpress (presentation ala powerpoint software), it phones home, no warning. Opening these documents in Linux, same results. What concerns is this: under Windows Kurt created a new spreadsheet, inserted an image (http://blahblah), saved it and exited, then ran it through strings, and saw some data from an email he sent a while ago. WTF??? Closed outlook, tried it with starwriter, nothing, tried it again with starcalc, wasn't able to recreate it... Needless to say StarOffice raises some rather interesting issues, and seems to have some problems/glitches. As for a warning dialog before downloading internet components that might be nice, something like: do you wish to retrieve http://www.example.org/trackingimage-091919.gif? Solution They just need to be taught the use of memset() to clear memory. There is no chance you can explain them why a bloated file format is a bad thing. MS Office had the same bug, but it has been fixed.