OpenOffice installs insecure version of Java
In a report by the Washington Post, Brian Krebs points out that the current version of Open Office 3.0.1 installs an outdated and insecure version of Java. OpenOffice, a free open source office suite, by default installs Java 6 Update 7, during suite installation. Update 7, originally released last spring, still contains several un-patched security vulnerabilities that could be exploited by an attacker and was released prior to Sun's inclusion of a feature known as "secure static versioning." The feature is intended to prevent Web sites from invoking even older versions of Java that may be present on the user's system.
It is unknown why OpenOffice still ships with the outdated version of Java 6, considering the current release, Java 6 Update 12, appears to work fine in the office suite. Krebs notes that he has contacted the OpenOffice security team about the issue and is waiting to hear back from them. According to Simon Phipps, chief open source officer at Sun Microsystems, there have been 35 million downloads of OpenOffice since October 2008.
- OpenOffice 3.0.1 Released, a heise online UK report.
- Java 6 update 11 available, a heise online UK report.
- Sun release early access for Java 6 update 12, a heise online UK report.