|
|
|
 |
Vulnerability Note VU#232232Groove Virtual Office may not correctly display file namesOverviewGroove Virtual Office may not correctly display the names of attached or embedded files. A remote attacker may be able to trick a user into executing arbitrary code.I. DescriptionGroove Virtual Office provides a collaborative working environment that includes shared documents, databases, applications, and various other tools to facilitate communication and productivity. Groove allows files to be attached to, or embedded in a document via Microsoft Windows Object Linking and Embedding (OLE). Microsoft OLE is a technology that allows applications to create and edit compound documents. Compound documents are those consisting of one format that contain embeddings of (or links to) documents in another format.If a specially crafted file is attached to, or embedded in a compound document, its file extension may not be shown correctly. As a result, the user may be tricked into believing the embedded file is of a type that does not contain executable code/content. However, if the crafted file contains code, it may be executed when the file is opened.
This vulnerability is addressed in Groove Virtual Office 3.1 build 2338, 3.1a build 2364, and Groove Workspace Version 2.5n build 1871. These updates are available from
References
This vulnerability was reported by US-CERT. This document was written by Jeff Gennari.
If you have feedback, comments, or additional information about this vulnerability, please send us
email. |
|||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||
Get Adobe Reader