OpenOffice.org has warned of three serious security holes which could allow attackers to damage or take control of systems via specially crafted documents. The bugs also affect Sun's commercial StarOffice suite, based on OpenOffice.

The organisation behind the open source productivity suite issued a bulletin outlining the problems on its website, complete with patch.

The bugs affect OpenOffice 1.1.x and 2.0.x as well as StarOffice or StarSuite 6.x, 7.x and 8.x, according to Sun. Sun's advisories can be found here, here and here.

The first bug involves the handling of Java applets embedded in OpenOffice. Malicious Java applets can exploit the flaw to bypass ordinary sandbox security restrictions to gain access to system resources with the privileges of the current user.

A second bug, in the way macros are handled, allows macros to execute Basic code with full system access, and without any user notification, as soon as a malicious document is opened, OpenOffice.org said. "As a result, the macro may delete/replace files, read/send private data and/or cause additional security issues," the advisory warned. "Disabling document macros will not prevent this issue."

Thirdly, a bug in the handling of some XML documents can trigger a buffer overflow, causing the program to crash and allowing attackers to execute malicious code.

Malicious documents are a common way of spreading malicious code, though clunky compared with other methods, which may require no user interaction.

Last month, three security vulnerabilities, some accompanied by exploit code, emerged in Microsoft Excel in a single week.