How Secure Is StarOffice?

← Back to Stories (view on slashdot.org)

Posted by Cliff on Monday May 22, 2000 @05:34AM from the break-out-the-lockpicks dept.

supabeast! asks: "I am currently working for a large financial corporation that still uses MS Office 97. At some point the company will need to upgrade to a newer office suite, and I think that with some work I may be able to push the company towards StarOffice, which I prefer over MS Office. I am slowly putting together a list of advantages (and disadvantages) of StarOffice over MS Office 2000, and one glaring problem in MS Office is the many security flaws that it has brought up. Does anyone know of security issues with StarOffice, on any platform?" With MS Office still smarting from the LOVE from viruses like Melissa, I think it's high time we looked for alternatives. Security should be one of the first things that should be evaluated.

18 comments

Min score:

Reason:

Sort:

Sorry by Anonymous Coward · 2000-05-22 01:24 · Score: 1

No time for productivity today...we need to have a big long thread on our right to steal music.
Clients, OS, and Protection. by SEWilco · 2000-05-22 01:43 · Score: 1

For ILOVEYOU specifically, a mail client which is able to let you run a VBScript program was necessary. Nothing other than a Microsoft Operating system can run VBScript.
Load StarOffice on a test machine, send ILOVEYOU to it, then disconnect it from the network and try opening it. I doubt anything will happen if you're not on a MS machine. StarOffice is also available for MS machines, and I suspect it will use the standard file extension linkages.
A fair amount of ILOVEYOU required Outlook support. I don't know what will happen if you're running StarOffice on a machine with or without Outlook and/or Office installed.
A related question is whether a StarOffice-specific attack can succeed, not only whether StarOffice makes Outlook/Office attacks fail.
1. Re:Clients, OS, and Protection. by Hall · 2000-05-22 02:44 · Score: 2
  
  A fair amount of ILOVEYOU required Outlook support. I don't know what will happen if you're running StarOffice on a machine with or without Outlook and/or Office installed.
  Not necessarily, the VBScript portion that was bad for the local user was the part of it that deleted files. The Outlook part was only used to forward these message on to other people. As for that part, I've been told that *any* MAPI-compliant program would do the same, not just Outlook. I've got to wonder about that though, as even Outlook Express wasn't affected. Then again, maybe it's not MAPI-compliant.
2. Re:Clients, OS, and Protection. by DaveHowe · 2000-05-22 03:58 · Score: 2
  
  Not sure about any mapi compliant client - but I know for a fact CCMail doesn't execute the autoforward bit - but DOES allow any fool that double-clicks the file the full weight of their own errors.....
  --
  
  --
  -=DaveHowe=-
We don't know by PD · 2000-05-22 01:48 · Score: 3

I don't think anybody really knows what security issues exist with Star Office. It's a huge program, all of it closed source. It has a scripting language which may or may not be conducive for virus propagation. It crashes regularly, so it's very possible that it has some buffer overflow bugs lurking in the code. It's multi-platform, so if a Windows version of a Star Office script virus were released, it could possibly also damage Linux machines.

We're lucky so far in that almost nobody runs Star Office, so the environment for viruses is very poor. Just like a virus in the meat world, computer viruses require a certain density of their hosts before they can replicate quickly. Star Office doesn't really provide that density, and it may never provide that density.

These sorts of closed-source kitchen sink apps that are appearing for Linux are useful tools, no doubt. But they are also very dangerous. I hope that open source apps become dominant in the desktop categories, because peer reviewed security is far better than the completely unreviewed security of Star Office.

Anyone that claims that Star Office is secure should be immediately challenged to "Prove It". Without the source code, security cannot be proved.

--
If tits were wings it'd be flying around.
I thought it was open source by gatzke · 2000-05-22 03:23 · Score: 1

If I am not mistaken, Sun claimed that StarOffice was to be relesed as open source under the Sun Community License (which is not really OS, but you can at least read the source) They put limitations on distributing changed sources...

I have seen some distros with StarOffice included. I assume Sun allows this redistribution, or maybe the distros have a special agreement with Sun.

On the other hand, you are also missing the point. StarOffice does not run as root (usually) so it probably cannot trash your entire PC (but maybe your home directory... make backups) PCs with Windows typically don't have this "feature" so a rogue program can muck system files left and right.

Sometimes sysadmins lock down PCs so that users can't kill the PC, but this doesn't always work. I have heard the M$ Office must write to various directories and files so you cannot really secure a PC with Office.

Just my $0.02 - ed
1. Re:I thought it was open source by PD · 2000-05-22 04:14 · Score: 2
  
  Being able to read the source is a nice thing, but without the right to change and redistribute, we're all at the mercy of Sun to provide a fix. I don't see Sun being very responsive in fixing their other bugs, so why would they suddenly get with it for security issues?
  
  And, it's often brought up that since Star Office doesn't run as root, it's less of a threat. Well, on my system, I have the operating system installed as root. EVERYTHING that is important on the system, my documents, my source code, is owned by my own personal user account. Sure, a virus would probably not be able to bring down my system, but it definitely would be able to destroy a lot of things that I need and use and work on every day. My personal loss would be just as large as if I were running a Windows machine.
  
  UNIX security is very good for what it was meant for: protecting the machine from several different users, and protecting the users from each other. It's NOT as good for protecting a single user from himself. The solution to that is to use and build applications that are not wide open to virus exploits, and to make some good backups at regular intervals.
  
  --
  If tits were wings it'd be flying around.
2. Re:I thought it was open source by odsquill · 2000-05-22 06:23 · Score: 1
  
  I like this, its true: "It's NOT as good for protecting a single user from himself".
  Yet observe that the project of the virus is not to enable people to hurt themselves, but simply to cause trouble.
  So if: "UNIX security is very good for what it was meant for: protecting the machine from several different users, and protecting the users from each other"
  Is the organisation (employer(s), friend(s), neighbour(s), Internet) better secured by adopting Star Office?
  Well I don't think so, because these Unix security benefits only apply when run under Linux/Solaris right? And the point at issue is the relative security of Star v MS Office and NOT Linux v Windows.
3. Re:I thought it was open source by randombit · 2000-05-22 06:37 · Score: 1
  
  And, it's often brought up that since Star Office doesn't run as root, it's less of a threat. Well, on my system, I have the operating system installed as root. EVERYTHING that is important on the system, my documents, my source code, is owned by my own personal user account. Sure, a virus would probably not be able to bring down my system, but it definitely would be able to destroy a lot of things that I need and use and work on every day. My personal loss would be just as large as if I were running a Windows machine.
  
  Though it is good to remember that if you gave someone else an account on your machine, Star Office would not destroy your files if they screwed up. On a Windows box, somewhat different results may occur.
  
  Of course, nothing beats regular backups. Disks sometimes break, and filesystems get corrupted, and sometimes people time rm -rf * without thinking, and you've got to deal with it somehow. Hmmm... good poll, Favorite Backup Method:
  
  Tape
  CD-R
  Copy to another machine
  Floppy
  Don't
  
  One think I really like about Unix is the directory setup... you know that if you backup /home and /etc you're basically safe, especially on package based systems like most Linux distros. Whereas on Windows where config files and user stuff is all over the place, and you have to search it out and copy it bit-by-bit. Real pain in the ass. :(
4. Re:I thought it was open source by geekoid · 2000-05-23 06:27 · Score: 1
  
  Well if you have the source, you can change it. There's not much they can do if you don't redistribute it.
  How concerned with security can you be if you run as root all the time? UNIX gived you the means to help protect yourself, but if you don't use them thats your own fault.
  that like saying "Condoms are no good because I never use them"
  . It's NOT as good for protecting a single user from himself.
  What is? Air bags are nice, but it doesn't help me If I drive off a cliff!
  The solution to that is to use and build applications that are not wide open to virus exploits,
  As long as user will run programs without thinking, this will always be a problem. Of course a "real" virus doesn't need users to do there dirty work.
  and to make some good backups at regular intervals.
  Always good advice.
  
  --
  The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
5. Re:I thought it was open source by AndyElf · 2000-05-23 21:45 · Score: 1
  
  It's NOT as good for protecting a single user from himself.
  
  What is? How about:
  
  $ cd ~ $ rm -rf *
  
  What saves you then? Same example will go for the other platform as well:
  C:\>del c:. Are you sure? (Y/N): Y C:\>
  
  The difference is that the first case done like so...
  
  $ cd / / $ rm -rf *
  
  ...will not work, as you know./p
  
  --
  
  --AP
Exactly the problem by CentrX · 2000-05-22 04:19 · Score: 1

It's closed-source, so we can never know. It might have just as many, or more, issues than Office. On the other hand, only Microsoft seems to put such security issues into their softwares because = 1 person asks for them.

Chris Hagar

--

"The price of freedom is eternal vigilance." - Thomas Jefferson
The other side by m.o · 2000-05-22 08:25 · Score: 2

It is reasonable to expect an avalanche of "MS Security Sucks" posts in this thread, since the statement is true. However, why is this the case? Because they try to have everything scriptable, which is a GREAT thing. And while I don't immediately see why it is useful in Outlook, which I've never used, I readily acknowledge its immense usefulness in MS Office - in particular, in Excel.

I work on forecasting and optimization, and while the actual products are developed in the "normal" environment (Unix/C/C++/Oracle), whenever there is a need for a fast and dirty prototype/proof of concept/visualization/thinking aid, no tool known to me is even close to Excel - the combination of its spreadsheet capabilities plus macro recording plus all standard UI objects plus COMPLETE scriptability are a TOTAL killer.

Maybe I am just ignorant and some other tools provide same functionality AND fine security (please, let me know if that's the case), but until I see them, I maintain that poor security in this case is just a flip side of an honest attempt to have great features and not a pure evil.
1. Re:The other side by jfernie · 2000-05-22 21:58 · Score: 1
  
  I agree that Excel is made more useful because of its macro-recording ability, but I always ended up using the recorder because I didn't know which object I needed to reference. I often limited myself to a small subset of the whole language (Activesheet, Cells, Range, etc.) anyway.
  
  On the other hand, I found Matlab to be an *excellent* prototyping system. All the mathematical functions you could want, powerful graphing abilities, GUI wigets, and you can define your own functions and scripts, too. But because it's not integrated with the operating system, it just always feels safer. And lets be honest, Matlab crashing never took down any Sparcs when I used it. I've managed to kill a PC or two with Excel/VB.
2. Re:The other side by nellardo · 2000-05-22 22:48 · Score: 2
  
  Maybe I am just ignorant and some other tools provide same functionality AND fine security (please, let me know if that's the case),
  
  Emacs.
  
  :-)
  
  but until I see them, I maintain that poor security in this case is just a flip side of an honest attempt to have great features and not a pure evil.
  
  Universality of functionality can be a Good Thing®, of course. Just consider "undo." The same design that enables universal undo (encapsulating all application actions as a subclass of some generic Action class) makes it very easy to provide scripting as well.
  
  Scripting, however, is not the universal boon that undo is, and I don't mean simply because of security. Frankly, scripting falls on to the wrong side of the 80/20 rule for typical users (and /. users are not typical users of productivity software).
  
  Given that, providing scriptability for use other than by developers (and I would put many sophisticated Excel users in that category - the cell language is a mess, but it is a language) is a questionable investment of resources during product development. Making scripts runnable under anything but direct user control in an untrusted environment (the Internet) may not have been an act of deliberate malice (I make no claims for understanding the Hive Mind of Microsoft®). But if it wasn't an act of malice, it was one of colossal stupidity.
  
  --
  -----
  Klactovedestene!
Re:UNIX not designed to protect the user from self by SuperguyA1 · 2000-05-22 20:27 · Score: 1

UNIX was not designed to protect the user from his/herself. Instead it was designed to allow the user to protect him/herself. You can run everything you want as root, but you obviously know what will likely happen in the end. If you are conserned with security simply don't run everything from root. Just because you are running a single user system doesn't mean you need to be root all the time (believe me I learned the hard way:)

--
"as plurdled gabbleblotchits on a lurgid bee" - Prostetnic Vogon Jeltz. (One man's humorous is another mans flamebait)
Make that Octave... by CgiJobs · 2000-05-22 22:21 · Score: 1

I actually prefer Octave, the open source Matlab clone. Check it out at: www.che.wisc.edu/octave/
less secure when your root by Citrix · 2000-05-22 22:45 · Score: 1

but nobody really knows
Citrix

--
Leknor
http://Leknor.com
"So many idiots, so few comets"