Open Office installs vulnerable Java software

For a long time I was big fan of Open Office, installing it and using it on many computers, both my own and those of clients. It was, after all, free and close enough to Microsoft Office for most purposes. And, with the drastically changed user interface that Microsoft imposed with Office 2007, Open Office gained yet another advantage, it was more familiar and thus easier to use.

But, the world changes.

LibreOffice grew out of Open Office and, while I didn't follow the story closely, from what I gathered it was a bit better. So, I switched to LibreOffice on a couple PCs and, with no brutal pain points, stuck with it. 

The story gets interesting when I recently upgraded an old version of Open Office (2.1) to the latest and greatest version (3.3.0) on a Windows XP machine. The impetus for the upgrade was that the owner of the computer couldn't read some Word documents. I guessed that the extremely old version of Open Office pre-dated its ability to read .docx files.

Rather than directly upgrade, I un-installed the old version, then downloaded the latest edition from the home page of the OpenOffice.org website. On Windows machines, this downloads both Open Office and Java as a single file.

There's nothing like an underpowered computer to let you see every step in the installation process. On a faster machine I may have missed the fact that Open Office 3.3 installed Java 6 Update 22.

Yikes!

Java is somewhat dangerous software to have on a Windows computer. Bad guys frequently abuse bugs in older versions of the software to install malware. I've written about this before as have many others. The Defensive Computing rule of thumb is not to install Java until you know you really need it.  

I mention this as background because Java 6 Update 22 is old and buggy; very much so.

According to the version history that I maintain at my JavaTester.org site, Update 22 was released October 12, 2010. It was superseded by Update 23 on January 3, 2011. The latest release of Java is Update 29, which fixed many security bugs. So too did Update 26, released in June of this year.  

If you are installing Open Office, be sure to download a version that does not include Java. And, don't be confused about terminology, the Open Office website uses the terms "Java Runtime Environment" and "JRE". Both refer to Java.

My mistake was downloading whatever was offered on the home page. 

Open Office Home Page download

As the screen shot above shows, on Windows and some Linux distributions, the version of Open Office offered on the home page includes Java. Notice that no mention is made of the version of Java included.

On Macs, Java is not included. Thus Windows and Linux users are advised to go to the Open Office download page and turn off the "Include the JRE to the download" checkbox. 

Taking a step back, you may not need Java at all to run Open Office. An explanation of the features that require Java is offered on the website.  

Update: A more complete list of the Open Office features that require Java is available at wiki.services.openoffice.org/wiki/Java.

LibreOffice also uses Java for some features, but as far as I can tell, none of the LibreOffice downloads include Java.

On a computer without Java, LibreOffice doesn't start off as a happy camper. The first time it runs, it will issue a message that Java is needed to "perform this task". What task? It doesn't say, but there must be seven of them because it issues the message seven times.

Despite this, it seems to run fine on machines without Java.

Update Nov. 4, 2011: A commentor below points out that the Document Foundation (the organization behind LibreOffice) plans to phase out the dependency on Java. A little searching online confirms this. Glad to hear. 

As for which features of LibreOffice currently depend on Java, the system requirements page says "For certain features of the software - but not most - Java is required. Java is notably required for Base." If you find more detailed documentation on this, let me know and I'll link to it here. 

Windows users interested in LibreOffice can try the portable version of the software available from PortableApps.com. I'm a huge fan of portable Windows software in general and PortableApps.com specifically. 

FREE Computerworld Insider Guide: Five IT certifications that won’t break you
Join the discussion
Be the first to comment on this article. Our Commenting Policies