OpenOffice.org fixed a critical flaw Wednesday in its suite's database engine that attackers could use to shanghai a computer, and the project's organizers urged customers to update to 2.3.1 as soon as possible.
The bug in HSQLDB, a lightweight, all-Java SQL database engine, can be used to force OpenOffice to execute Java code planted in a rigged database document, said Danish vulnerability tracker Secunia ApS in an alert posted Wednesday. OpenOffice.org also posted an advisory on the bug.
Versions of the free application suite prior to the just-released 2.3.1 are vulnerable, added Secunia. The refreshed edition can be downloaded from the OpenOffice.org site in versions for Windows, Linux and Solaris.
The open-source project's organizers had patched the suite as recently as September, when flaws in how it handles TIFF image files were disclosed. According to Secunia, OpenOffice.org has plugged five security holes so far this year.
The suite is most popular on Linux but is also used as an alternative to Microsoft Corp.'s Office and other for-a-fee bundles.
OpenOffice.org is shooting for a March 2008 delivery date for the next major upgrade, dubbed 2.4.