We made the formal announcement today that the recently released OpenOffice.org 2.4 included some security vulnerabily fixes. We normally release this information when the software is released. This time, Sun Microsystems had not completed the necessary US export classification process for StarOffice at the launch date, so we held back the announcement until StarOffice was able to ship.

As usual, we get emails from people asking whether they should update. Here’s my response:

On Thu, April 17, 2008 08:35, A concerned user wrote:
> i’m using openoffice portable 2.3.1.
> what would you suggest?
> tks

I suggest you contact the maintainer of the version you are using, and ask when 2.4 will be available.

We always advise people to upgrade when we release security fixes – this is best practice in the IT industry. However, you can always do your own risk assessment. Look at the security bulletin for what has been fixed. How do you use OpenOffice.org? e.g. if there is a vulnerability around opening Quattro Pro files, and you never open Quattro Pro files, then you might decide the risk of not upgrading is acceptable for you personally.

In fact, the message is simple: the vast majority of exploits require you to accept a file from someone else, or download a file from the internet. If you regularly click on links in emails from people you don’t know, or without checking they are genuine, then “be scared, be very scared…”

This entry was posted on Thursday, April 17th, 2008 at 7:02 am and is filed under OpenOffice.org. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.