OpenOffice.org Security 'Insufficient'

InfoWorldMike writes "IDG News Service's Robert McMillan reports that researchers at French Ministry of Defense say vulnerabilities with open source office suite OpenOffice.org may rival those of Microsoft's version. With Microsoft's Office suite now being targeted by hackers, researchers at the French Ministry of Defense say users of the OpenOffice.org software may be at even greater risk from computer viruses. "The general security of OpenOffice is insufficient," the researchers wrote in a paper entitled In-depth analysis of the viral threats with OpenOffice.org documents. "This suite is up to now still vulnerable to many potential malware attacks," they wrote. The OpenOffice.org team has already fixed a software bug discovered by the researchers, and the two groups are in discussions about how to improve the overall security of the software. "The one real flaw in the programming logic has been fixed," said Louis Suarez-Potts, an OpenOffice.org community manager. "The others are theoretical.""

MMKay.. Interesting, but..

[wwiiol_toofless]

OpenOffice.org is FREE! FREE I tell you! Given the choice between a known-to-be-vulnerable $200 suite and a hypothetically-vulnerable Freeware suite, I'll take the latter. The day I discovered OO still ranks in the top 10 of my favorite computing moments of my life.

Re:"theoretical"

[morgan_greywolf]

The PDF presentation that the group gave was en Français, but I got the gist. I'd post a translation, but my French is a little rusty. ;) Anyway, they seem to be saying that because OOo doesn't support authentication certificates for documents or macros, and because OOo has an API that allows you to program in several different languages (Python, VBScript, Perl, C++, etc.) and that OOo has no solid verifiable security model, that the suite is fundamentally insecure.

I can see where some of this gets dismissed as "theoretical" -- for instance, while OOo has such an API, this isn't any more secure or insecure than the fact that other applications, like MySQL, for instance, have a similarly flexible API. Ditto for Microsoft Office or any operating system.

The information on authentication certificates seems a little outdated -- OOo 2.0 supports digital signatures for documents and macros and even security settings that prevent macros from being run that are not signed. I think that as for a solid, verifiable security model, OOo 2.0 seems to have one based on digital signatures.

Re:"theoretical"

[portmapper]

It is disappointing to see a free software project dismissing threats as "theoretical". Today's "theoretical" vulnerabilities are tomorrow's exploits. Worse, the article hints that these threats are fundamental design flaws - the developers should be working to fix these and not issuing PR speak to cover them.

OpenOffice is quite buggy, as porting it to OpenBSD shows that OpenOffice has many stupid bugs [openbsd.org]

CVE-2006-2198

[tetromino]

I think that the flaw they are talking about is CVE-2006-2198 [mitre.org], which was fixed in OOo-2.0.3. It was pretty nasty, executes arbitray macro without alerting or prompting the user. However, given that the mistake was already found and fixed, what else does the French Ministry of Defence have to complain about?

The actual problem is DicOOo

[Animats]

Here's the attack:

Installation d'une fonction offensive C dans la macro DicOOo.
La fonction C est exécutée à l'installation de DicOOo.

"DicOOo" is an installer for dictionaries into OpenOffice. Unfortunately, it seems to have too much power, and can be replaced or induced to install other things. This is an add-on to OpenOffice, and apparently an unsafe one.

Re:"theoretical"

[Red Alastor]

I speak French, let me translate.

1. "Official" MS Office competitor.
2. Share of the market rising.
3. Cheap but...
4. What about the real security of OpenOffice ?
5. Viral analysis by proof of concept
6. Numerous integrated programming languages : script shell, VBScript, Python, Perl, Asp, Java.
7. Rich macro developing.
8. Numerous existing hijackable execution points
9. No protection mecanism for macros
10. zip format is makes virus penetration easy.
11. Macro security is easy to bypass. "Trusted" folders are defined. Any macro placed in those folders is by definition, trusted.
12. Document signature do not really consider macros. Bypassing possibilities
13. Macros can be linked to events or services.
14. Other mechanisms : macro chaining, hypertext links, inter-application execution, OLE
15. Many mechanisms are usable for an infection
16. All known viral techniques known for Microsoft Office can be translated under OpenOffice.org
17. Every kind of infection is doable. (Infection and auto-reproduction)
18. Globaly, OpenOffice's suite is a bigger infection risk than Microsoft's suite.
19. No real security concepts.
20. Many functional viral roots were made as proof-of-concept
21. Infection successful no matter the security setting of the user.
22. Some senarii can act without alerting the user in any way (scenarii is a stupid plural in French too but they used it in the original)

Then they go on to explain (still in powerpoint bullets) that they managed to write a macro that sends an e-mail with an attached file which then executed C code which modified dicOOo.

And they conclude that infection risk under OOo is MAXIMAL and its use should be discouraged for security reasons.

Re:"theoretical"

[Red Alastor]

I'm replying to my own post but the other was the translation and this is what I think of it. I think it's bullshit.

Point number 10, what the fuck ? zip is just a comression format. Point number 11, trusted folders are defined by YOU. So most people don't even have them. But if it's convenient to you to define a folder where all macros are trusted how is it different from accepting every macro while you open the document ? It must be quite convenient for developers who want to test their macros. Most other points ? Way too vague to mean anything. Beside, if the danger for an office suite which isn't really attacked right now is "maximal", how should be classify MS Office ?

And their famous proof-of-concept... they won't even tell us how they got it to run. My guess is that they defined a trusted folder and put it in.

Until they reveal that, this document is worthless. Like that other proof-of-concept from I don't remember which AV vendor. Their macro (if you accepted it) would download a porn picture from the net and put it in the document. I guess it's much more dangerous than sending documents with the picture already in.

The problem with Open Office

[theshowmecanuck]

... is that when they do have a security 'fix', they force you to update by downloading the entire suite... they don't have differential patches. I personally get sick and tired of having to download around 100 MBytes of app, uninstall the original, and re-install the new. Granted on my Linux box the package updater will do all three, but the updater takes forever to download the files. Quite frankly it is a pain in the ass. Sometimes I delay installing an update because of it (sometimes quite a while). Other than OO, I really am pretty diligent about updating my systems, so I can imagine there are those who just won't bother updating OO at all. I would think this is especially for those who are still on dial-up where a 100 meg download can take many, many hours.

In my opinion, if they want to say they get fixes out quickly, I can call bullshit. Just because you have the code complete doesn't mean the fix is complete. It still needs to be distributed to all the installations. If this is not done because the process is so onerous, then you can't say the fix is released faster than M$. As much as dislike monopolies, they do make the update process a lot less painful.

That said, it is a pretty decent office suite.

Re:Thats a cool thing with open source

[nwbvt]

I've seen plenty of security bugs in open source code that don't get updated right away. Open source is not all that different from closed source software in this sense. While it certainly is fun to pretend open source is perfect and is in every way better than commercial software, that simply is not true.

Re:CVE-2006-2198

[truthsearch]

I submitted this story to /. a month ago and it was rejected. Back then the MoD stated they were already working with the OpenOffice.org developers to have the appropriate changes made. Apparently it's been completed within the last one or two months. This is old news (by internet standards).

Re:OPDs and Latex

[iabervon]

The main problem with LaTeX is that, if you use it for much of anything, you'll never have the patience to deal with a word processor again, and will therefore be unable to work with businesspeople on documents. And you'll be forever annoyed by the minor formatting flaws in everybody else's documents, like when paragraphs spanning page breaks have a single line on one of the pages.

Re:Thats a cool thing with open source

[TheRaven64]

contributions from outsiders were trivial, given the scale and complexity of the project.

Sun does about 80% of the work on OpenOffice.org. This is a significant majority, but I would hardly classify 20% a trivial. The second largest contributor is Novell. Since they have OpenOffice.org deployed on every single one of their employees machines, they do a lot of work fixing dogfood bugs.

Re:The Bad News Is...

[miro f]

actually since I found the OpenOffice.org quickstarter (hidden in the preferences under memory) I never went back. Loading times have decreased a lot (sometimes it even loads instantaneously). Sure it takes more memory while my system is idle but I've never run out before...

Re:"theoretical"

[mspohr]

TFA said they were working to fix them in cooperation with French security experts. They were not "dismissed" but rather they have started to patch them.

Re:Thats a cool thing with open source

[mcrbids]

But happy-go-lucky progress just doesn't cut it for security efforts. BIND is open source as well, but its security track record has been awful, especially by comparsion of the simplicity of a DNS server versus web servers (or any other kind of application)

Perhaps a bit ironic that you mention BIND. It's been quite a while since there's been a big security problem in BIND, and is currently the driving force in the largest security update to the DNS protocol in, like, decades - DNSSEC.

Yes, the BIND sources were pretty clumsy and took a while to "get it right". Despite that, it's also always been very stable, and despite the security flaws, has done a good job keeping the vast majority of the Internet together. And, AFAIK, BIND is standing on some pretty solid ground right about now...

Re:"theoretical"

[jimicus]

Someone needs to explain this to me. Why do office suites need these features? For what are they used? I've never worked in a big office that actually uses the macro and scripting features of productivity software.

What generally happens is this (and I'd expect it to be much the same for most of Office's macro features):

Department A perceives a need for a complicated spreadsheet or a small database. It's not really complicated enough to go through the "pass it up the line and set up a project in conjunction with IT" routine, and in a lot of companies IT is viewed with a certain degree of suspicion. However, it would still be nice to have.

Then a person in department A with an interest in IT but with no formal IT training or experience (we'll call him Fred) hears of this need. Fred thinks to himself "I could do that! Easy!", and a couple of weeks later Department A his its database, courtesy of Fred. Over the coming months, Fred adds features and fixes bugs as they come up.

While all of this is going on, nobody outside of Department A even knows that the database exists. It's not until Fred leaves the company two years later and someone in Department A suddenly discovers a hitherto unknown bug in his database (which has since become critical to Dept. A's function) that IT gets to hear about it - when the person who discovers the bug calls the helpdesk and demands support.