Re: CVE-2014-3575:OpenOffice Targeted Data Exposure Using Crafted OLE Objects

[Ángel Perez <an...@gmail.com>]

El 21/08/2014 14:04, "Herbert Duerr" <hd...@apache.org> escribió:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> CVE-2014-3575
> OpenOffice Targeted Data Exposure Using Crafted OLE Objects
>
> Severity: Important
> Vendor: The Apache Software Foundation
>
> Versions Affected:
>         Apache OpenOffice 4.1.0 and older on Windows.
>         OpenOffice.org versions are also affected.
>
> Description:
>         The exposure exploits the way OLE previews are generated to embed
> arbitrary file data into a specially crafted document when it is opened.
> Data exposure is possible if the updated document is distributed to other
> parties.
>
> Mitigation:
>         Apache OpenOffice users are advised to upgrade to Apache
> OpenOffice 4.1.1. Users who are unable to upgrade immediately should be
> cautious when they are asked to "Update Links" for untrusted documents.
>
> Credits:
>         The Apache OpenOffice security team credits Open-Xchange for
> reporting this flaw.
>
> Herbert Dürr
> Member of the Apache OpenOffice Security Team
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (Cygwin)
>
> iQIcBAEBAgAGBQJT9e3wAAoJEDfnuKc+PLjJC8gP/2ZLgMRO9r2YyAbEWl6iA1gP
> eVtq6I6O5W9a0ov1zGpbBaPVqZGMCGPDgsdTBUmm2FRAY0U0Yz0bflpGcSUdIpJ/
> ULMp6TLfgb24PpiySOQHRvz/6QDsTTgkEyKClkM3THzvNXh6mSCExaDsDv8fseaJ
> y1tvTRHrHLeG+lZKPwDnIvDYDSONYNksK/e7gcF5rjNZpmcl6F4gZmMcm1j1TP1a
> HbsgOzMpC+A0X26VfuDapYBT6mjeITS6+ZReAcD3sPul95UK/BQ6qU29dvDY7uYg
> 7U9vzr2155uyv9qUx0UqE2XRKIHfUEhhxHZqFtTVlllkv34E1PNNYdhzUUYDuo4w
> W4+GhrebUaArIeQNd1KLCgvnQ0O6ykegV/Rc+OIgG/8DOyC18SS3r11nLs0L0pDe
> WmBfOii2OaS/d0RrOdHFsNpscSL1dRaGOXLDD5lxm2VPp6D3TgCM9UgNnBzF4u3S
> 4lKid1JlxswFbOOT0hNrX7V/kwx9Z2DfDzw8EmjLZGmiH1W3u99EZxmIlKZQRwrg
> 3enbMuSADsrWSjnxxmwlJD6iT0AaBEJ30doxqnfftIbNt4+r45fSPRPWYriQZ00j
> 7a+CrKLfBS9ctuXChldWGtgbh4Pkq3RxsVhAw7aiIQdII53v8086A/jzVU0zYNN8
> AUxJRYsI1SGTlytbeP0o
> =2Y3B
> -----END PGP SIGNATURE-----
>