Slashdot Mirror
How Secure Is StarOffice?
supabeast! asks: "I am currently working for a large financial corporation that still uses MS Office 97. At some point the company will need to upgrade to a newer office suite, and I think that with some work I may be able to push the company towards StarOffice, which I prefer over MS Office. I am slowly putting together a list of advantages (and disadvantages) of StarOffice over MS Office 2000, and one glaring problem in MS Office is the many security flaws that it has brought up. Does anyone know of security issues with StarOffice, on any platform?" With MS Office still smarting from the LOVE from viruses like Melissa, I think it's high time we looked for alternatives. Security should be one of the first things that should be evaluated.
I don't think anybody really knows what security issues exist with Star Office. It's a huge program, all of it closed source. It has a scripting language which may or may not be conducive for virus propagation. It crashes regularly, so it's very possible that it has some buffer overflow bugs lurking in the code. It's multi-platform, so if a Windows version of a Star Office script virus were released, it could possibly also damage Linux machines.
We're lucky so far in that almost nobody runs Star Office, so the environment for viruses is very poor. Just like a virus in the meat world, computer viruses require a certain density of their hosts before they can replicate quickly. Star Office doesn't really provide that density, and it may never provide that density.
These sorts of closed-source kitchen sink apps that are appearing for Linux are useful tools, no doubt. But they are also very dangerous. I hope that open source apps become dominant in the desktop categories, because peer reviewed security is far better than the completely unreviewed security of Star Office.
Anyone that claims that Star Office is secure should be immediately challenged to "Prove It". Without the source code, security cannot be proved.
If tits were wings it'd be flying around.
Not necessarily, the VBScript portion that was bad for the local user was the part of it that deleted files. The Outlook part was only used to forward these message on to other people. As for that part, I've been told that *any* MAPI-compliant program would do the same, not just Outlook. I've got to wonder about that though, as even Outlook Express wasn't affected. Then again, maybe it's not MAPI-compliant.
Not sure about any mapi compliant client - but I know for a fact CCMail doesn't execute the autoforward bit - but DOES allow any fool that double-clicks the file the full weight of their own errors.....
--
-=DaveHowe=-
Being able to read the source is a nice thing, but without the right to change and redistribute, we're all at the mercy of Sun to provide a fix. I don't see Sun being very responsive in fixing their other bugs, so why would they suddenly get with it for security issues?
And, it's often brought up that since Star Office doesn't run as root, it's less of a threat. Well, on my system, I have the operating system installed as root. EVERYTHING that is important on the system, my documents, my source code, is owned by my own personal user account. Sure, a virus would probably not be able to bring down my system, but it definitely would be able to destroy a lot of things that I need and use and work on every day. My personal loss would be just as large as if I were running a Windows machine.
UNIX security is very good for what it was meant for: protecting the machine from several different users, and protecting the users from each other. It's NOT as good for protecting a single user from himself. The solution to that is to use and build applications that are not wide open to virus exploits, and to make some good backups at regular intervals.
If tits were wings it'd be flying around.
It is reasonable to expect an avalanche of "MS Security Sucks" posts in this thread, since the statement is true. However, why is this the case? Because they try to have everything scriptable, which is a GREAT thing. And while I don't immediately see why it is useful in Outlook, which I've never used, I readily acknowledge its immense usefulness in MS Office - in particular, in Excel.
I work on forecasting and optimization, and while the actual products are developed in the "normal" environment (Unix/C/C++/Oracle), whenever there is a need for a fast and dirty prototype/proof of concept/visualization/thinking aid, no tool known to me is even close to Excel - the combination of its spreadsheet capabilities plus macro recording plus all standard UI objects plus COMPLETE scriptability are a TOTAL killer.
Maybe I am just ignorant and some other tools provide same functionality AND fine security (please, let me know if that's the case), but until I see them, I maintain that poor security in this case is just a flip side of an honest attempt to have great features and not a pure evil.