18 september, 2009
| Document Audience: | PUBLIC | |
| Document ID: | 263508 | |
| Title: | Security Vulnerability in StarOffice/StarSuite Related to Microsoft Word Document Handling may Lead to Arbitrary Code Execution | |
| Copyright Notice: | Copyright © 2009 Sun Microsystems, Inc. All Rights Reserved | |
| Update Date: | Tue Sep 15 00:00:00 MDT 2009 | |
Solution Type Sun Alert
Solution 263508 : Security Vulnerability in StarOffice/StarSuite Related to Microsoft Word Document Handling may Lead to Arbitrary Code Execution
Bug ID
6842152
ProductStarOffice/StarSuite 7 StarOffice/StarSuite 8 StarOffice/StarSuite 9
Date of Resolved Release
15-Sep-2009
SA Document BodySecurity Vulnerability in StarOffice/StarSuite ...
1. Impact
A security vulnerability in StarOffice/StarSuite, related to Microsoft Word
document handling, may allow a remote unprivileged user to execute arbitrary
code on the system with the privileges of a local user running StarOffice/StarSuite,
if the local user opens a crafted Microsoft Word document provided by the remote user.
Sun acknowledges with thanks, Dyon Balding of Secunia Research
(http://secunia.com/secunia_research/) for bringing this issue
to our attention.
Additional information on this issue can be found at:
CVE-2009-0200 at
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0200
CVE-2009-0201 at
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0201
2. Contributing Factors
This issue can occur in the following releases:
SPARC Platform
- StarOffice/StarSuite 7 without product patch 14 (patch 116519-18)
- StarOffice 8 without update 13 (patch 120185-18)
- StarSuite 8 without update 13 (patch 120189-18)
- StarOffice 9 without update 3 (patch 142188-01)
- StarSuite 9 without update 3 (patch 142189-01)
x86 Platform
- StarOffice/StarSuite 7 without product patch 14 (patch 117073-16)
- StarOffice 8 without update 13 (patch 120186-18)
- StarSuite 8 without update 13 (patch 120190-18)
- StarOffice 9 without update 3 (patch 142190-01)
- StarSuite 9 without update 3 (patch 142191-01)
Linux Platform
- StarOffice/StarSuite 7 without product patch 14 (patch 116518-18)
- StarOffice 8 without update 13 (patch 120184-17)
- StarSuite 8 without update 13 (patch 120188-17)
- StarOffice 9 without update 3 (patch 142212-01)
- StarSuite 9 without update 3 (patch 142213-01
Windows Platform
- StarOffice/StarSuite 7 without product patch 14 for Windows (patch 116520-17)
- StarOffice 8 without update 13 (patch 120187-17)
- StarSuite 8 without update 13 (patch 120191-17)
- StarSuite 8 Impress Standalone without update 13 for Windows (patch 128021-05)
- StarOffice 9 (ar) without update 3 (patch 142193-01)
- StarOffice 9 (en-US) without update 3 (patch 142194-01)
- StarOffice 9 (de) without update 3 (patch 142195-01)
- StarOffice 9 (es) without update 3 (patch 142196-01)
- StarOffice 9 (it) without update 3 (patch 142197-01)
- StarOffice 9 (fr) without update 3 (patch 142198-01)
- StarOffice 9 (sv) without update 3 (patch 142199-01)
- StarOffice 9 (nl) without update 3 (patch 142200-01)
- StarOffice 9 (hu) without update 3 (patch 142201-01)
- StarOffice 9 (ru) without update 3 (patch 142202-01)
- StarOffice 9 (pl) without update 3 (patch 142203-01)
- StarOffice 9 (pt) without update 3 (patch 142204-01)
- StarOffice 9 (pt-BR) without update 3 (patch 142205-01)
- StarOffice 9 (en-US, de, es, it, fr, sv, nl, hu, ru, pl, pt,pt-BR, ar) without update 3 (patch 142206-01)
- StarSuite 9 (ja) without update 3 (patch 142207-01)
- StarSuite 9 (ko) without update 3 (patch 142208-01)
- StarSuite 9 (zh-CN) without update 3 (patch 142209-01)
- StarSuite 9 (zh-TW) without update 3 (patch 142210-01)
- StarSuite 9 (en-US, ja, ko, zh-CN, zh-TW) without update 3 (patch 142211-01)
Mac OSX x86 Platform
- StarOffice 9 (ar) without update 3 (patch 142214-01)
- StarOffice 9 (en-US) without update 3 (patch 142215-01)
- StarOffice 9 (de) without update 3 (patch 142216-01)
- StarOffice 9 (es) without update 3 (patch 142217-01)
- StarOffice 9 (it) without update 3 (patch 142218-01)
- StarOffice 9 (fr) without update 3 (patch 142219-01)
- StarOffice 9 (sv) without update 3 (patch 142220-01)
- StarOffice 9 (nl) without update 3 (patch 142221-01)
- StarOffice 9 (hu) without update 3 (patch 142222-01)
- StarOffice 9 (ru) without update 3 (patch 142223-01)
- StarOffice 9 (pl) without update 3 (patch 142224-01)
- StarOffice 9 (pt) without update 3 (patch 142225-01)
- StarOffice 9 (pt-BR) without update 3 (patch 142226-01)
- StarOffice 9 (en-US, de, es, it, fr, sv, nl, hu, ru, pl, pt,pt-BR, ar) without update 3 (patch 142227-01)
- StarSuite 9 (ja) without update 3 (patch 142228-01)
- StarSuite 9 (ko) without update 3 (patch 1422229-01)
- StarSuite 9 (zh-CN) without update 3 (patch 142230-01)
- StarSuite 9 (zh-TW) without update 3 (patch 142231-01)
- StarSuite 9 (en-US, ja, ko, zh-CN, zh-TW) without update 3 (patch 142232-01)
Note: Earlier versions of StarOffice/StarSuite are no longer
supported and will not be evaluated regarding this issue.
To determine the version of StarOffice/StarSuite installed on a
system, the following command can be executed:
% grep Product <program-dir>/program/bootstraprc
ProductKey=StarOffice 9
ProductPatch=(Product Update 3)
where <program-dir> is the path to the StarOffice/StarSuite
installation directory.
The version of StarOffice/StarSutie can also be determined in
the GUI using the following steps:
1. Open the "Help" menu
2. Choose "About StarOffice" (StarSuite)
3. Symptoms
There are no predictable symptoms that would indicate this issue has occurred.
4. Relief/Workaround
To workaround the described issue, do not load Microsoft Word documents from untrusted sources.
5. Resolution
This issue is addressed in the following releases:
SPARC Platform
- StarOffice/StarSuite 7 with product patch 14 (patch 116519-18) or later
- StarOffice 8 with update 13 (patch 120185-18) or later
- StarSuite 8 with update 13 (patch 120189-18) or later
- StarOffice 9 with update 3 (patch 142188-01) or later
- StarSuite 9 with update 3 (patch 142189-01) or later
x86 Platform
- StarOffice/StarSuite 7 with product patch 14 (patch 117073-16) or later
- StarOffice 8 with update 13 (patch 120186-18) or later
- StarSuite 8 with update 13 (patch 120190-18) or later
- StarOffice 9 with update 3 (patch 142190-01) or later
- StarSuite 9 with update 3 (patch 142191-01) or later
Linux Platform
- StarOffice/StarSuite 7 with product patch 14 (patch 116518-18) or later
- StarOffice 8 with update 13 (patch 120184-17) or later
- StarSuite 8 with update 13 (patch 120188-17) or later
- StarOffice 9 with update 3 (patch 142212-01) or later
- StarSuite 9 with update 3 (patch 142213-01 or later
Windows Platform
- StarOffice/StarSuite 7 with product patch 14 for Windows (patch 116520-17) or later
- StarOffice 8 with update 13 (patch 120187-17) or later
- StarSuite 8 with update 13 (patch 120191-17) or later
- StarSuite 8 Impress Standalone with update 13 for Windows (patch 128021-05) or later
- StarOffice 9 (ar) with update 3 (patch 142193-01) or later
- StarOffice 9 (en-US) with update 3 (patch 142194-01) or later
- StarOffice 9 (de) with update 3 (patch 142195-01) or later
- StarOffice 9 (es) with update 3 (patch 142196-01) or later
- StarOffice 9 (it) with update 3 (patch 142197-01) or later
- StarOffice 9 (fr) with update 3 (patch 142198-01) or later
- StarOffice 9 (sv) with update 3 (patch 142199-01) or later
- StarOffice 9 (nl) with update 3 (patch 142200-01) or later
- StarOffice 9 (hu) with update 3 (patch 142201-01) or later
- StarOffice 9 (ru) with update 3 (patch 142202-01) or later
- StarOffice 9 (pl) with update 3 (patch 142203-01) or later
- StarOffice 9 (pt) with update 3 (patch 142204-01) or later
- StarOffice 9 (pt-BR) with update 3 (patch 142205-01) or later
- StarOffice 9 (en-US, de, es, it, fr, sv, nl, hu, ru, pl, pt,pt-BR, ar) with update 3 (patch 142206-01) or later
- StarSuite 9 (ja) with update 3 (patch 142207-01) or later
- StarSuite 9 (ko) with update 3 (patch 142208-01) or later
- StarSuite 9 (zh-CN) with update 3 (patch 142209-01) or later
- StarSuite 9 (zh-TW) with update 3 (patch 142210-01) or later
- StarSuite 9 (en-US, ja, ko, zh-CN, zh-TW) with update 3 (patch 142211-01) or later
Mac OSX x86 Platform
- StarOffice 9 (ar) with update 3 (patch 142214-01) or later
- StarOffice 9 (en-US) with update 3 (patch 142215-01) or later
- StarOffice 9 (de) with update 3 (patch 142216-01) or later
- StarOffice 9 (es) with update 3 (patch 142217-01) or later
- StarOffice 9 (it) with update 3 (patch 142218-01) or later
- StarOffice 9 (fr) with update 3 (patch 142219-01) or later
- StarOffice 9 (sv) with update 3 (patch 142220-01) or later
- StarOffice 9 (nl) with update 3 (patch 142221-01) or later
- StarOffice 9 (hu) with update 3 (patch 142222-01) or later
- StarOffice 9 (ru) with update 3 (patch 142223-01) or later
- StarOffice 9 (pl) with update 3 (patch 142224-01) or later
- StarOffice 9 (pt) with update 3 (patch 142225-01) or later
- StarOffice 9 (pt-BR) with update 3 (patch 142226-01) or later
- StarOffice 9 (en-US, de, es, it, fr, sv, nl, hu, ru, pl, pt,pt-BR, ar) with update 3 (patch 142227-01) or later
- StarSuite 9 (ja) with update 3 (patch 142228-01) or later
- StarSuite 9 (ko) with update 3 (patch 1422229-01) or later
- StarSuite 9 (zh-CN) with update 3 (patch 142230-01) or later
- StarSuite 9 (zh-TW) with update 3 (patch 142231-01) or later
- StarSuite 9 (en-US, ja, ko, zh-CN, zh-TW) with update 3 (patch 142232-01) or later
For more information on Security Sun Alerts, see Technical Instruction ID 213557:
http://sunsolve.sun.com/search/document.do?assetkey=1-61-213557-1
This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements.
Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.