releases update to fix database vulnerability

By on released a new version of its productivity suite this week, fixing a flaw that could allow arbitrary code execution attacks. released a new version of its productivity suite this week, fixing a flaw that could allow arbitrary code execution attacks.

The open-source provider of business applications released 2.3.1, which patches a vulnerability in HSQLDB, the default database engine shipped with version 2 of the application, according to an advisory released by the group.

The flaw is caused by an unspecified error in the database. It can be exploited to execute arbitrary static JavaScript via a specially crafted document, according to Secunia, a Denmark-based vulnerability monitoring organisation that ranked the flaw as “highly critical.” 2.3 was released last September.

John McCreesh, marketing program lead, told today that he is not aware of public exploitation of the flaw. He added that the surge in client-side attacks is a result of attackers exploiting the familiarity of business productivity applications.

“The more an attacker can hide an attack inside something familiar, the more likely people are to fall for it. So, if you're used to receiving 50 work emails a day with Microsoft Word attachments, then you'll probably open the next one to land in your inbox without a second's hesitation,” he said. “We're doing what we can – for example, we've recently raised the default level of security within – but at the end of the day, it's down to education, education, education.”

FrSIRT, the French Security Incident Response Team, rated the flaw “critical,” and noted that an attacker could use social engineering to trick an end-user into opening a malicious document.

Amol Sarwate, head of the vulnerability research lab at Qualys, told that alternative productivity suites, such as, are not widely deployed in the corporate world, but administrators should be quick to defend against arbitrary code execution attacks.

“I would say that there is a growing trend of businesses trying out, but the predominant office software is still coming from Microsoft. But if [administrators] have at their companies, they should take this vulnerability seriously since it allows arbitrary code to go on a user's machine,” he said.

“This is an ongoing trend that we've been observing in client-side applications – basically [Microsoft] Word documents and spreadsheets – and this falls in line with the trend of attacking those applications to get at users' PCs.”

See original article on
Copyright © SC Magazine, US edition

Most Read Articles

Log In

|  Forgot your password?