OpenOffice.org Security 'Insufficient' 184
InfoWorldMike writes "IDG News Service's Robert McMillan reports that researchers at French Ministry of Defense say vulnerabilities with open source office suite OpenOffice.org may rival those of Microsoft's version. With Microsoft's Office suite now being targeted by hackers, researchers at the French Ministry of Defense say users of the OpenOffice.org software may be at even greater risk from computer viruses. "The general security of OpenOffice is insufficient," the researchers wrote in a paper entitled In-depth analysis of the viral threats with OpenOffice.org documents. "This suite is up to now still vulnerable to many potential malware attacks," they wrote. The OpenOffice.org team has already fixed a software bug discovered by the researchers, and the two groups are in discussions about how to improve the overall security of the software. "The one real flaw in the programming logic has been fixed," said Louis Suarez-Potts, an OpenOffice.org community manager. "The others are theoretical.""
"theoretical" (Score:5, Insightful)
Thats a cool thing with open source (Score:4, Insightful)
Many eyes at work. Sounds like a + not - (Score:5, Insightful)
The closed source model doesn't offer the same level of opportunity to find flaws. Even when people do find flaws in closed source products the publishers are as likely to bury the report, deny the flaw it exists or use DMCA to sue the people who disclose the problems.
Chalk this up as a win for the open source model... at least for large high visibility projects like Open Office.
What makes them think MS Office isn't vulnerable? (Score:5, Insightful)
I fail to see how this is a black mark against OpenOffice.org.
Re:What makes them think MS Office isn't vulnerabl (Score:2, Insightful)
I don't either. But you know that if MS (or its shills) can make it appear so, they will.
Re:Thats a cool thing with open source (Score:5, Insightful)
OO.org is vulnerable (Score:4, Insightful)
Gentle Reminder About the Ministry (Score:5, Insightful)
It's very difficult to go from that environment back to the real world where security is measured by successfully implementing long passwords in a company.
Making the inductive(?) leap that OpenOffice.org is insecure is a really long leap of faith. Are there holes? Probably.
In many ways, this is good news because the open source application is being picked over with a fine tooth comb by a large ministry.
Bring it on!
Insecure by association? (Score:5, Insightful)
The goal isn't to be better, it's to be good (Score:2, Insightful)
I fail to see how this is a black mark against OpenOffice.org
I don't think that's (neccessarily) the point. Whatever MS does about their Office security flaws does not really concern me any longer. There's almost nothing that could ever make me use MS Office again. But so what. The point isn't which suite is better, the point is: OpenOffice.org still has flaws, and those should be fixed. In this context the statement "The [other flaws] are theoretical" does not make me feel good. I want even theoretical flaws to be taken serious, so they won't become real ones ever, if possible to avoid. I just hope the OO.o team does not concentrate too much on having the better PR, but also on having a good product.
Disclaimer: I don't have the slightest clue about OOo security in general, and the "theoretical" flaws in particular, so possible they may in fact be nothing to worry about. If you convince me this is the case, or I'm just mis-interpreting the quote, I'll happily shut up.
Re:"theoretical" (Score:4, Insightful)
Can intra-office communication not be done via RTF? Why do we need document formats that rival PDF and layout-software fileformats in complexity?
It seems like you could avoid all of this using a smaller array of utilities and custom scripts for office productivity, it just strikes me as impossible to create a scriptable, monolithic, document engine that won't have some sort of security hole on some platform. It seems like a cluster of smaller, more agile tools is the way to go.
Re:"theoretical" (Score:2, Insightful)
Not being part of the software monoculture has enough security benefits that I doubt it would ever pay to attack us when there are enough Windows zombies out there to get first.
Re:Thats a cool thing with open source (Score:3, Insightful)
You forgot to add " but often breaks some other piece of software."
Re:What makes them think MS Office isn't vulnerabl (Score:2, Insightful)
Funny, I've heard that advice many times and never any laughing. This is the kind of advice you follow for everything when working in windows. Don't open a document from someone you don't trust, don't go to a website you don't trust, don't open an attachment from someone you don't trust (you even have to be careful opening attachments from people you DO trust)
In fact if anyone's being laughed out of the room for this advice it's because everyone with any common sense has been following this advice since the first computer ever connected itself to the Internet.
Re:Many eyes at work. Sounds like a + not - (Score:3, Insightful)
The problem I find with most proprietary apps isn't the development model as such, but there's rarely a clear place to forward suggestions and bug reports. For Microsoft software you get the crasher bug reporting with their "Send error report" thing, but there are far many more types of bug that you can submit to bugzilla on most projects (Crasher, usability, suggestion, glitch, etc.). I have seen some Microsoft projects with places to send reports and suggestions, as I have other proprietary stuff, it's just that it usually much less polished if it exists at all.
Re:Many eyes at work. Sounds like a + not - (Score:3, Insightful)
Right... as compared to closed source, where 0% have the capability of auditing the source code.
Of course, things aren't as black and white as either of our initial comments make things seem. The edge is a bit blurred these days as even Microsoft does have a 'shared source' initiative to allow some interested parties to have a look and those just happen to be some of the most likely ones to actually be motivated and qualified to find and implement fixes. However, openness as the default stance does seem to make a lot more sense because even one's critics can look at the code and make an assessment.
That sounds a lot like the proprietary model except that the 'when they have time' gets replaced with 'if they get budget approval'. I've worked on proprietary software and know, first hand, that development costs are usually dwarfed by customer support costs. In many projects, bugs only get fixed if there's a good business case for the fix.
Either way, resources have to be available, but they can come from outside of the core organization in the case of open source projects. If some customer thinks something is important enough for them, they can always go out and fix themselves. With a commercial program if they aren't a big enough account to make a ripple at headquarters, then it'll never get fixed unless it happens to pop up on the radar of someone more important. Sure, companies that will do this are few and far between, but at least they do have the option. Heaven help them if they decide that they like the legacy version that they've been using for years and haven't ponied up for the forced upgrade to the latest and greatest or even worse, if the company has gone bankrupt and the software is no longer available. At least with source they have a fighting chance.
One of the biggest factors in all of this is the size of the projects. Small open source projects tend to be fairly poorly supported, not as a rule, but in general. Small proprietary programs often have very little support at all and tend to be discontinued. Large, sexy, open source projects get a lot of visibility and tend to benefit from lots of participation and feedback. Large, profitable, proprietary projects tend to have enough paying customers who complain about enough bugs that there's some pressure to get them fixed. Counter examples of all four cases abound, but in general... size matters.
So, perhaps arguments about open vs. closed are really about secondary effects rather than the primary effects.
Sure, SOME proprietary software makes SOME of their code available to A FEW reviewers, but as I wrote above, open by default means that even unexpected sources capable of performing audits and code contribution.
Re:"theoretical" (Score:3, Insightful)
Data and code are fundamentally linked. You can put an artificial barrier between them, but that doesn't do much if you lose functionality by doing so.
Let's say that I've got an Excel Sheet (I do) that needs to call a custom function that Excel doesn't ship with (I do, as well). While it would, in theory, be possible to move that code to a seperate macro in a "code" file somewhere, I'd still have to find a way to let anyone who opens my document get at that code file.
MS Office et al have scripting built right in because a good portion of what a good office does is make tools to simplify their work, and those tools are usually so simple that they only make sense to write down at the user level.
FWIW, the french are right. OOo is a security risk--just like a user is. Presume that they might introduce a horrible silicon-melting virus, and plan your security accordingly.
Re:"theoretical" (Score:4, Insightful)
If I had been implementing the system from scratch, I would have made it intranet-based, with a TeX backend for generating PDFs
If I'd been building it, for use with OOo, I'd have given it a backend that generated the OpenDocument data without using any macros within the application. The great thing about having a fully documented, open format like OpenDocument is that you can easily generate and manipulate documents with any tool that's convenient.
Of course, the same is true of TeX, but if you generate OpenDocument format, then you can use OOo to edit and maintain it. In most environments the users are more likely to be comfortable with that than with TeX.
I think the openness of the format actually eliminates many of the reasons that macros are so important in the Microsoft Office world.
Re:Thats a cool thing with open source (Score:3, Insightful)
The problem with Open Office is that someone could check the fix in tonight but you wouldn't necessarily see a 2.04 until whenever they felt like releasing it which could be months or more. So really it's irrelevant in that situation that you're dealing with open source or closed source.
What OOo should do is implement some form of patching mechanism, similar to Firefox. Then they can have their firedrills and dump out a small, precision patch and innoculate much of their userbase before any harm can be done.
If I were OpenOffice, I'd also be questioning the need to support StarBasic AND Python AND Java AND BeanShell AND JavaScript (two versions) for the same product. While it's understandable there are certainly legacy reasons for doing so, I wonder if all these languages shouldn't be reined in a bit. My understanding is that JS, Basic & BeanShell can be embedded in documents, so if I were looking to break OO I'd be looking to see what objects had been exposed in these scripting languages.