OpenOffice.org Security 'Insufficient' 184
InfoWorldMike writes "IDG News Service's Robert McMillan reports that researchers at French Ministry of Defense say vulnerabilities with open source office suite OpenOffice.org may rival those of Microsoft's version. With Microsoft's Office suite now being targeted by hackers, researchers at the French Ministry of Defense say users of the OpenOffice.org software may be at even greater risk from computer viruses. "The general security of OpenOffice is insufficient," the researchers wrote in a paper entitled In-depth analysis of the viral threats with OpenOffice.org documents. "This suite is up to now still vulnerable to many potential malware attacks," they wrote. The OpenOffice.org team has already fixed a software bug discovered by the researchers, and the two groups are in discussions about how to improve the overall security of the software. "The one real flaw in the programming logic has been fixed," said Louis Suarez-Potts, an OpenOffice.org community manager. "The others are theoretical.""
MMKay.. Interesting, but.. (Score:4, Informative)
Re:"theoretical" (Score:5, Informative)
I can see where some of this gets dismissed as "theoretical" -- for instance, while OOo has such an API, this isn't any more secure or insecure than the fact that other applications, like MySQL, for instance, have a similarly flexible API. Ditto for Microsoft Office or any operating system.
The information on authentication certificates seems a little outdated -- OOo 2.0 supports digital signatures for documents and macros and even security settings that prevent macros from being run that are not signed. I think that as for a solid, verifiable security model, OOo 2.0 seems to have one based on digital signatures.
Re:"theoretical" (Score:1, Informative)
OpenOffice is quite buggy, as porting it to OpenBSD shows that OpenOffice has many stupid bugs [openbsd.org]
CVE-2006-2198 (Score:5, Informative)
The actual problem is DicOOo (Score:4, Informative)
Installation d'une fonction offensive C dans la macro DicOOo.
La fonction C est exécutée à l'installation de DicOOo.
"DicOOo" is an installer for dictionaries into OpenOffice. Unfortunately, it seems to have too much power, and can be replaced or induced to install other things. This is an add-on to OpenOffice, and apparently an unsafe one.
Re:"theoretical" (Score:5, Informative)
Then they go on to explain (still in powerpoint bullets) that they managed to write a macro that sends an e-mail with an attached file which then executed C code which modified dicOOo.
And they conclude that infection risk under OOo is MAXIMAL and its use should be discouraged for security reasons.
Re:"theoretical" (Score:5, Informative)
I'm replying to my own post but the other was the translation and this is what I think of it. I think it's bullshit.
Point number 10, what the fuck ? zip is just a comression format. Point number 11, trusted folders are defined by YOU. So most people don't even have them. But if it's convenient to you to define a folder where all macros are trusted how is it different from accepting every macro while you open the document ? It must be quite convenient for developers who want to test their macros. Most other points ? Way too vague to mean anything. Beside, if the danger for an office suite which isn't really attacked right now is "maximal", how should be classify MS Office ?
And their famous proof-of-concept... they won't even tell us how they got it to run. My guess is that they defined a trusted folder and put it in.
Until they reveal that, this document is worthless. Like that other proof-of-concept from I don't remember which AV vendor. Their macro (if you accepted it) would download a porn picture from the net and put it in the document. I guess it's much more dangerous than sending documents with the picture already in.
The problem with Open Office (Score:3, Informative)
... is that when they do have a security 'fix', they force you to update by downloading the entire suite... they don't have differential patches. I personally get sick and tired of having to download around 100 MBytes of app, uninstall the original, and re-install the new. Granted on my Linux box the package updater will do all three, but the updater takes forever to download the files. Quite frankly it is a pain in the ass. Sometimes I delay installing an update because of it (sometimes quite a while). Other than OO, I really am pretty diligent about updating my systems, so I can imagine there are those who just won't bother updating OO at all. I would think this is especially for those who are still on dial-up where a 100 meg download can take many, many hours.
In my opinion, if they want to say they get fixes out quickly, I can call bullshit. Just because you have the code complete doesn't mean the fix is complete. It still needs to be distributed to all the installations. If this is not done because the process is so onerous, then you can't say the fix is released faster than M$. As much as dislike monopolies, they do make the update process a lot less painful.
That said, it is a pretty decent office suite.
Re:Thats a cool thing with open source (Score:3, Informative)
Re:CVE-2006-2198 (Score:5, Informative)
Re:OPDs and Latex (Score:4, Informative)
Re:Thats a cool thing with open source (Score:3, Informative)
Sun does about 80% of the work on OpenOffice.org. This is a significant majority, but I would hardly classify 20% a trivial. The second largest contributor is Novell. Since they have OpenOffice.org deployed on every single one of their employees machines, they do a lot of work fixing dogfood bugs.
Re:The Bad News Is... (Score:2, Informative)
Re:"theoretical" (Score:3, Informative)
Re:Thats a cool thing with open source (Score:3, Informative)
Perhaps a bit ironic that you mention BIND. It's been quite a while since there's been a big security problem in BIND, and is currently the driving force in the largest security update to the DNS protocol in, like, decades - DNSSEC.
Yes, the BIND sources were pretty clumsy and took a while to "get it right". Despite that, it's also always been very stable, and despite the security flaws, has done a good job keeping the vast majority of the Internet together. And, AFAIK, BIND is standing on some pretty solid ground right about now...
Re:"theoretical" (Score:3, Informative)
What generally happens is this (and I'd expect it to be much the same for most of Office's macro features):
Department A perceives a need for a complicated spreadsheet or a small database. It's not really complicated enough to go through the "pass it up the line and set up a project in conjunction with IT" routine, and in a lot of companies IT is viewed with a certain degree of suspicion. However, it would still be nice to have.
Then a person in department A with an interest in IT but with no formal IT training or experience (we'll call him Fred) hears of this need. Fred thinks to himself "I could do that! Easy!", and a couple of weeks later Department A his its database, courtesy of Fred. Over the coming months, Fred adds features and fixes bugs as they come up.
While all of this is going on, nobody outside of Department A even knows that the database exists. It's not until Fred leaves the company two years later and someone in Department A suddenly discovers a hitherto unknown bug in his database (which has since become critical to Dept. A's function) that IT gets to hear about it - when the person who discovers the bug calls the helpdesk and demands support.