Network News

X My Profile
View More Activity

OpenOffice Installs Insecure Java Version

An alert reader let me know that the latest version of OpenOffice, the open source alternative to the Microsoft Office productivity suite, also installs a very old, insecure version of Java.

Users who accept the default installation options for OpenOffice 3.0.1 also will get Java 6 Update 7, a version of Java that Sun Microsystems released last spring (the latest version is Java 6 Update 12).

oojava.jpg

This is notable because not only could attackers target security vulnerabilities that were fixed in subsequent versions of Java, but Java 6 Update 7 was released prior to Sun's inclusion of a feature known as "secure static versioning," which is intended to prevent Web sites from invoking even older versions of Java that may be present on the user's system.

Starting with Java 6 Update 11, Sun included a feature that uninstalls older versions, but that functionality for whatever reason did not automatically remove versions prior to Java 6 Update 10.

It's not clear why OpenOffice ships with this outdated version. For what it's worth, the latest version of OpenOffice appears to work just fine with the latest, Java 6 Update 12. I've sent a note to the OpenOffice security team to find out, and will post an update if I hear back from them.

Finally, I should note that Sun only released Java 6 Update 12 a few days ago. However, Sun says there are no security updates in this latest version, so there is no need to update if all you care about is having the most secure version of Java.

Update, Feb. 11, 3:09 p.m. ET: The OpenOffice.org security team responded that the newest version of Java caused installation problems with the latest version of OpenOffice.org. The group plans to ship the latest Java version with the next version of OpenOffice.org, due to be released at the end of March. In the meantime, a version of OpenOffice.org without the older Java version can be downloaded here.

By Brian Krebs  |  February 4, 2009; 5:30 PM ET
Categories:  From the Bunker , Latest Warnings , New Patches  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Report: Most Spam Sites Tied to Just 10 Registrars
Next: Data Breach Led to Multi-Million Dollar ATM Heists

Comments

Brian

Thank you.

Posted by: brucerealtor@gmail.com | February 5, 2009 3:09 AM | Report abuse

OpenOffice makes a version available for download that doesn't include the JRE, but it is very difficult to find. I complained in the past to the OOo people, but was ignored. I have discovered that it is possible to download the version without JRE by starting the download of the current version (with JRE), copying the download location, cancelling the download, and then restarting the download manually after editing the link to remove "_wJRE" (e.g. substitute OOo_3.0.1_Win32Intel_install_en-US.exe in http:// [local mirror] /pub/openoffice/stable/3.0.1/OOo_3.0.1_Win32Intel_install_wJRE_en-US.exe)

Posted by: blackdemin | February 5, 2009 7:10 AM | Report abuse

Thank you for your continuing efforts which I'm sure are equally as appreciated by others such as myself who are only somewhat competent but are stuck with being their own IT guy.

I found, as implied by your article, an old (rev. 7) install of java and uninstalled same.

Question - what is java Runtime Environment? Do I need it? A quick look on the Java site (and Google) wasn't very enlightening as to its function although I did get that there aren't auto updates for it. Do I need to update? (no rev # listed for my install)

Thanks.

Posted by: rsh43 | February 5, 2009 8:37 AM | Report abuse

The Java Runtime Environment (JRE) produces Java Virtual Machines (JVMs). Java is cross-platform compatible. It creates a 'virtual machine' that is the same accross a variety of hardware and software. The JVM's job is to convert from virtual machine land to the actual system's way of doing things. In other languages, such as C, the developer has to create versions for different systems (or the user has to compile the program from the source).

You need a JRE to run Java programs.

Posted by: nebnos | February 5, 2009 9:06 AM | Report abuse

I suggest downloading and installing a free program, Secunia PSI, which checks for insecure programs installed on your computer (older versions superceded by updates or newer versions). This program documents the nature of the risk, and provides a step-by-step guide to updating the version, which is very convenient. Using Secunia, I discovered the older insecure version of Java a few days ago, and manually uninstalled it -- I had wondered where it came from, and thanks to Brian, now I know.

Posted by: rboltuck | February 5, 2009 9:53 AM | Report abuse

Blackdemin, it is not the case that one has to perform the contortions you describe to download a copy of OOo without JRE. One need only go to http://download.openoffice.org/other.html , select the version of OOo one wishes to install, and see to it that the box after «Include the Java JRE with this download (This option is not available for Linux DEB and Mac OSX)» is *not* ticked. Give it a whirl !...

Henri

Posted by: mhenriday | February 5, 2009 10:38 AM | Report abuse

My experience was somewhat different.
The previously installed version was Open Office 3.0 (build 3.0.9358), so I downloaded the default 3.0.1. On installation Firefox offered no choices. "Run" was the only option. After installation, Open Office identified itself as 3.0.9379. 3.0.1 is nowhere mentioned.
Java 6 Update 7 was apparently not installed, as it does not appear in the Control Panel or Belarc Advisor.

Posted by: Dale_R | February 5, 2009 11:35 AM | Report abuse

Funny...I installed OO 3.01 this morning on my Vista system and it did not affect my Java(TM)6 Update 11 previously installed. I did not find any reference to Java 6/7 when checking my Programs and Features on Control Panel

Posted by: AnnArborGuy | February 5, 2009 12:29 PM | Report abuse

I run a Toshiba Satellite U305 running XP and Firefox. I just checked my version of Java and I have Version 6, Update 11 installed. I went to the Java website and was informed that that is the most recent version for computers running Mozilla/Firefox.

Posted by: DCeiver | February 5, 2009 12:56 PM | Report abuse

@DCeiver - see the last paragraph: Finally, I should note that Sun only released Java 6 Update 12 a few days ago. However, Sun says there are no security updates in this latest version, so there is no need to update if all you care about is having the most secure version of Java.

Posted by: BTKrebs | February 5, 2009 1:06 PM | Report abuse

I just checked the OO3 emerge on gentoo: there is a requirement for java existing but no actual java distro included in the package. Maybe this doesn't affect all platforms.

Posted by: lembark | February 5, 2009 2:16 PM | Report abuse

Due to a bug in the JRE shiped with the release candidate for 3.0.1, the installation failed. Therefore the team switched back to a JRE version without that bug.
Pls see http://de.openoffice.org/issues/show_bug.cgi?id=98257

Posted by: cno1 | February 5, 2009 2:43 PM | Report abuse

Thanks for the notice. A few things that would make posts like this even more helpful would be instructions on how to find out our current version of Java, and a link to the most recent version of Java. Again, thanks for the post and your online chats, they are very informative.

Posted by: monkeyonkeyboard | February 5, 2009 5:59 PM | Report abuse

@monkeyonkeyboard -- you can check which version you have installed and/or install Java from this link.

http://java.com/en/download/installed.jsp?detect=jre&try=1

Posted by: BTKrebs | February 5, 2009 8:19 PM | Report abuse

In the interest of extreme caution, I just uninstalled my old versions of both the Java SE Runtime Environment and old versions of Java 6. I am now at JRE 6.1 and Java 6.11. It involved the uninstall of about 8 other packages to get to this state. I figure that if I don't need it, it is safer to uninstall than to leave it hanging around.

As for the comments that you can check what version you have, I don't think that would show all the previous versions that might be able to be exploited by a malware, only the version that is run by default.

Posted by: cyberfool | February 5, 2009 9:05 PM | Report abuse

I was just going to try switching from Office to OpenOffice. Now I am nervous. I will probably do it anyway. I will let my clients know at http://www.progoffice.com. Take care and thank you for the good information.

Posted by: stukushner | February 6, 2009 2:38 PM | Report abuse

I was just going to try switching from Office to OpenOffice. Now I am nervous. I will probably do it anyway. I will let my clients know at http://www.progoffice.com Take care and thank you for the good information.

Posted by: stukushner | February 6, 2009 2:39 PM | Report abuse

Brian -- Just got a new HP laptop, and it came with Java 6 update 7 preinstalled. I've uninstalled it, but I wonder how many vulnerable machines are out there because HP is still using the old Java software.

Posted by: strohminator | February 6, 2009 4:51 PM | Report abuse

Brian, can you pls inform us about the explanation of the OpenOffice.org security team?

Posted by: cno1 | February 6, 2009 6:23 PM | Report abuse

If you don't want to go to the trouble of uninstalling all possible Java environments that are old, open Control Panel (in Windows, that is), click "Go to Classic View" (or whatever the text is) and double-click Java. In Java Control Panel, click the Security tab, then you have Applet Runtime Settings in the top half, and Java Network Launching Protocol in the bottom. Click the View button in Applet Runtime Settings and _uncheck_ the "Enabled" box next to the old Java environments. After that Java shouldn't let any systems run applets based on old configs, and the same old Java runtimes are disabled in the JNLP.
If that sounds complicated, well, Sun could do a better job of making their updates disable old runtimes by default. Automatic updates work for me, my setting is to run update every day and download updates automatically, but ask for my permission to install the new update.

Posted by: velskama | February 7, 2009 4:21 AM | Report abuse

You can also check the installed version of Java at javatester.org. If you have multiple web browsers, you need to test each one.

Posted by: MichaelsPostingID | February 8, 2009 6:33 PM | Report abuse

The problem with OpenOfice.org 3.0.1 has been fixed as of 9:32 PM on Sunday night, February 8, 2009, at least under Firefox.

Upon downloading and installing 3.0.1, I see that the most recent JRE for Firefox has been installed.

Thanks again for all your help, Brian.

Tom
DrJones1

Posted by: DrJones1 | February 8, 2009 9:38 PM | Report abuse

You said "the latest version is Java 6 Update 12" but my Java applet in XP's control panel says I'm up to date with Update 11. I went to sun.com and checked downloads and it offered Update 11. Are you sure about Update 12? Checked about 10:00 am Eastern on Feb. 9.

Posted by: bmuller | February 9, 2009 10:00 AM | Report abuse

I checked and actually have each of the following version installed:

J2SE 5 updates 6, 9, 10, and 11
Java 6 updates 1, 2, 3, 5, 7, and 11

And to think that most of them are over 100 mb... tsk.

Posted by: JasonSpradlin82 | February 10, 2009 3:49 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company