OpenOffice.org released a security bulletin today that addresses three security issues in the OpenOffice.org software which were discovered during an internal code audit.  The vulnerabilities affect both the older 1.1.x and the newer 2.0.x releases.  OpenOffice.org has released version 2.0.3 which resolves the issues.  A patch for version 1.1.5 will be available soon.  Without the patch, one of the issues has a possible workaround to alleviate the issue; the other two do not.

OpenOffice.org has additional security notes on their site that address the three specific issues:

• Java Applets
  
  It is possible for some Java applets to break out of the secure "sandbox" in which they are normally constrained.  The  applet code could potentially have access to the entire system with whatever privileges the current user has.
  
  A workaround is provided to temporarily disable support for Java applets.  Instructions are provided for both 1.1.x and 2.0.x.
  

• Macros
  
  A flaw with the macro mechanism could allow an attacker to include certain macros that would be executed even if the user has disabled document macros.  Such macros could potentially have access to the entire system with whatever privileges the current user has.
  
  There is no workaround for this issue
  

• File Format
  
  A flaw in the parsing of the XML file formats allows for possible buffer overflows in specially malformed documents.  The buffer overflow can crash the OpenOffice.org application and might be exploitable for arbitrary code-execution.
  
  There is no workaround for this issue.
  

Thanks to Juha-Matti for the heads-up.