OpenOffice.org Security 'Insufficient'

InfoWorldMike writes "IDG News Service's Robert McMillan reports that researchers at French Ministry of Defense say vulnerabilities with open source office suite OpenOffice.org may rival those of Microsoft's version. With Microsoft's Office suite now being targeted by hackers, researchers at the French Ministry of Defense say users of the OpenOffice.org software may be at even greater risk from computer viruses. "The general security of OpenOffice is insufficient," the researchers wrote in a paper entitled In-depth analysis of the viral threats with OpenOffice.org documents. "This suite is up to now still vulnerable to many potential malware attacks," they wrote. The OpenOffice.org team has already fixed a software bug discovered by the researchers, and the two groups are in discussions about how to improve the overall security of the software. "The one real flaw in the programming logic has been fixed," said Louis Suarez-Potts, an OpenOffice.org community manager. "The others are theoretical.""

Well

[mysidia]

They may find the security of OpenOffice to be insufficient. Their grounds for the finding seem rather questionable to me, given the theoretical nature of said flaws, and the very realized nature of Office security flaws.

I for one find the security of MS Windows as a whole to be insufficient. Quite clearly the only way to achieve a sufficient level of security is to use a patched BSD kernel, and use Vi or Ed for all editing tasks instead of MS Word, OpenOffice, or other similar GUI application.

In many ways, integrated GUI applications have ineffective security compared to segregated command line applications. When you type a command into a computer, you can be a lot clearer as to what the computer will do.

You separate viewing some text from viewing a picture, etc.

Maybe we need to take a step back...

[Harker]

a decade or more, at least.

How about we stop writing word processors and spreadsheets that are capable of running code (other than its own)?

I remember back when I was big on a certain usenet news group, we had a discussion about an email virus. The claim was, when you opened the email (don't recall the name off hand), it would do all sorts of nasty things to your computer, and possibly to your girlfriend/wife/sister/etc. The entire thing was a hoax that preyed on ignorant computer users, and urged them to spread the word.

My argument at the time was basically that an email client could not, or should not execute the text within the email itself, and any client that did, shouldn't be used.

Now I use Outlook on a daily basis, and guess what?

So, let's take a step back to simpler, less efficient applications. Get rid of what causes the vulnerabilities in the first place.

Now where did this box come from?

H.

Alternatives

[Doc Ruby]

How secure is MS software that responds to vulnerability discoveries by ignoring them or lying about them, fixing them after months or even several versions (years) later? Because users have to rely on MS to fix them.

Compared to OO.o, which anyone can fix, even the French government itself, but which does fix bugs quickly.

Re:Many eyes at work. Sounds like a + not -

[kz45]

"This sounds like a strength of the open source model. Many eyes can include security auditors too. The weaknesses get reported and fixed."

This seems to be the call of the open source zealout, but it is not reality. 99% of the people using Open Office are users. The other 1% contain people that might have the ability to look at it, but may not have the time or patience.

I have been involved with many open source projects over the past couple of years and it usually ends up like this:

1) someone emails a bug to the main programming team
2) someone on the programming team (when they have time..since it is a volunteer position) will look through the code and make the changes
3) rinse and repeat

Proprietary apps actually seem to be better in this respect because at least the main programming team is usually working on it full time and can implement changes in a timely fashion (because they aren't working other jobs). In bigger corporations, this does not always happen because of corporate BS.

"Chalk this up as a win for the open source model... at least for large high visibility projects like Open Office."

Not really. Many proprietary apps still have people that can and do find flaws (much in the same way they find them in open source apps. Sure, the source code helps, but I would imagine it's easy for many of the security experts to test it from the outside).

"The closed source model doesn't offer the same level of opportunity to find flaws. Even when people do find flaws in closed source products the publishers are as likely to bury the report, deny the flaw it exists or use DMCA to sue the people who disclose the problems"

so why did the people at openoffice.org pass many of the flaws off as theoretical?

Re:Thats a cool thing with open source

[Penguin]

Yeah, open source is great. I'm so happy that after a year nobody responded to my Firefox bug report marked as security related issue. After a year I suppose someone got a notification email and re-wrote the summary, but it is still marked as "NEW". This bug is over a year old, no way it could be regarded "NEW". It should be "FIXED" or at least "INVALID" (or "GET A LIFE, MORON"). Currently it is assigned to "Nobody's working on this, feel free to take it". Yay, the power of open source.

I'm sorry that you put that much trust into a community. It seems like people are more fond of a thought of "the great thing is that when we are THAT many people present at the party surely someone want to do the dishes (and fetch the dead guy out of the pool)" instead of a schedule of "No security bug older than one day/week/month/year" should be regarded "NEW", but should assigned to any responsible person".

I'm not heckling the open source community. I'm part of it. But happy-go-lucky progress just doesn't cut it for security efforts. BIND is open source as well, but its security track record has been awful, especially by comparsion of the simplicity of a DNS server versus web servers (or any other kind of application)

(the mozilla bug is #295922, requires privilege access, no biggie, not a problem for default or average users, but there is still no reason for a security marked bug to have status "NEW" after a year)

Re:"theoretical"

[TheRaven64]

I've never worked in a big office that actually uses the macro and scripting features of productivity software.

I worked for a little while for a (very large) organisation that made heavy use of scripting in Office. Every single type of document had an official corporate style. It had a (scripted) wizard that went through and added the sections you want, automatically filled in various bits of it, etc. After five minutes with the wizard you would have a multi-page skeleton document which would then just need text adding.

If I had been implementing the system from scratch, I would have made it intranet-based, with a TeX backend for generating PDFs, but they had an enormous amount invested in the it, and a team working on updating and fixing the templates. It was sometimes a problem ensuring that you had the right version installed (which is why I would go for a client-server model), but even that could probably be fixed by scripting (simply have the wizard check it was the latest version and fetch / install it if now).

Re:Thats a cool thing with open source

[nwbvt]

"I welcome any example where it took 4 weeks for a fix for a main package."

Well offhand, here is one [sourceforge.net] opened 3 years ago which still hasn't been fixed, though it would be difficult to exploit. Basically what happens is that that a machine with trust level 4 (the default is 3, so again this would be difficult to exploit) to gain level 5 access (meaning they can run arbitrary commands on computer running the service. No, STAF/STAX is not as big as Linux (which is why I was talking about open source in general, not just Linux, which isn't even the software this article was about), but it is used in many corporate environments as an automated testing tool.

Buffer overflow, not just macros

[Anonymous Coward]

Read this: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=op enoffice [mitre.org]

Note that 2.0.3 fixes (at least) 3 flaws, one of which involves a buffer overflow that happens when you open any kind of openoffice document: http://www.ngssoftware.com/advisories/high-risk-vu lnerability-in-the-openoffice-suite/ [ngssoftware.com]

Now, this doesn't mean OpenOffice security is bad, or that it's good, it just means that OpenOffice is subject to exactly the same kinds of security issues that happen whenever a complex app parses a complex data format. To pretend that it's somehow magically immune to this class of problem because of open source pixie dust is utter rubbish. Read the code.

Just Turn Macros Off

[xdxfp]

Why does MS Office have all these fancy features that only a few people use, yet they open up a world of vulnerabilities? I use MS Excel to write a spreadsheet with some basic formulas, and MS Word to write documents that I could just have easily written in WordPad (minus the spell check). Turn off macros by default, and have a generic "you're running a macro and this is unsafe" popup (which I beleive they already do). If the user clicks yes unwittingly, then they're probably too stupid to read the dialog asking them about the signature, and they're screwed anyhow.

Re:The imporant news here

[Anonymous Coward]

You had to discuss with the OOo guys because the french guys are working with them to IMPROVE the security of OOo to be usable in a very strict security environnement. Do you really think that it's better to let some big "shadow" area inside the code instead to try and correct the problems or designs?

And for the french foreign politics, the story proved they were right for the so called " weapons of massive destruction", in the same time story proved that it's very easy for a governement to use the fear to do what they want...