Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenOffice.org Security 'Insufficient'

Posted by ryuzaki0 on from the taunting-crowds dept.

InfoWorldMike writes "IDG News Service's Robert McMillan reports that researchers at French Ministry of Defense say vulnerabilities with open source office suite OpenOffice.org may rival those of Microsoft's version. With Microsoft's Office suite now being targeted by hackers, researchers at the French Ministry of Defense say users of the OpenOffice.org software may be at even greater risk from computer viruses. "The general security of OpenOffice is insufficient," the researchers wrote in a paper entitled In-depth analysis of the viral threats with OpenOffice.org documents. "This suite is up to now still vulnerable to many potential malware attacks," they wrote. The OpenOffice.org team has already fixed a software bug discovered by the researchers, and the two groups are in discussions about how to improve the overall security of the software. "The one real flaw in the programming logic has been fixed," said Louis Suarez-Potts, an OpenOffice.org community manager. "The others are theoretical.""

8 of 184 comments (clear)

  1. MMKay.. Interesting, but.. by wwiiol_toofless · · Score: 4, Informative

    OpenOffice.org is FREE! FREE I tell you! Given the choice between a known-to-be-vulnerable $200 suite and a hypothetically-vulnerable Freeware suite, I'll take the latter. The day I discovered OO still ranks in the top 10 of my favorite computing moments of my life.

    --
    the mods may say you posted flamebait, but to me it's a flame that warms my heart. rock on, brother! --chebucto
  2. Re:"theoretical" by morgan_greywolf · · Score: 5, Informative

    The PDF presentation that the group gave was en Français, but I got the gist. I'd post a translation, but my French is a little rusty. ;) Anyway, they seem to be saying that because OOo doesn't support authentication certificates for documents or macros, and because OOo has an API that allows you to program in several different languages (Python, VBScript, Perl, C++, etc.) and that OOo has no solid verifiable security model, that the suite is fundamentally insecure.

    I can see where some of this gets dismissed as "theoretical" -- for instance, while OOo has such an API, this isn't any more secure or insecure than the fact that other applications, like MySQL, for instance, have a similarly flexible API. Ditto for Microsoft Office or any operating system.

    The information on authentication certificates seems a little outdated -- OOo 2.0 supports digital signatures for documents and macros and even security settings that prevent macros from being run that are not signed. I think that as for a solid, verifiable security model, OOo 2.0 seems to have one based on digital signatures.

    --
    My blog
  3. CVE-2006-2198 by tetromino · · Score: 4, Informative

    I think that the flaw they are talking about is CVE-2006-2198, which was fixed in OOo-2.0.3. It was pretty nasty, executes arbitray macro without alerting or prompting the user. However, given that the mistake was already found and fixed, what else does the French Ministry of Defence have to complain about?

    1. Re:CVE-2006-2198 by truthsearch · · Score: 4, Informative

      I submitted this story to /. a month ago and it was rejected. Back then the MoD stated they were already working with the OpenOffice.org developers to have the appropriate changes made. Apparently it's been completed within the last one or two months. This is old news (by internet standards).

      --
      Developers: We can use your help.
  4. The actual problem is DicOOo by Animats · · Score: 3, Informative
    Here's the attack:

    Installation d'une fonction offensive C dans la macro DicOOo.
    La fonction C est exécutée à l'installation de DicOOo.

    "DicOOo" is an installer for dictionaries into OpenOffice. Unfortunately, it seems to have too much power, and can be replaced or induced to install other things. This is an add-on to OpenOffice, and apparently an unsafe one.

  5. Re:"theoretical" by Red+Alastor · · Score: 4, Informative
    I speak French, let me translate.
    1. "Official" MS Office competitor.
    2. Share of the market rising.
    3. Cheap but...
    4. What about the real security of OpenOffice ?
    5. Viral analysis by proof of concept
    6. Numerous integrated programming languages : script shell, VBScript, Python, Perl, Asp, Java.
    7. Rich macro developing.
    8. Numerous existing hijackable execution points
    9. No protection mecanism for macros
    10. zip format is makes virus penetration easy.
    11. Macro security is easy to bypass. "Trusted" folders are defined. Any macro placed in those folders is by definition, trusted.
    12. Document signature do not really consider macros. Bypassing possibilities
    13. Macros can be linked to events or services.
    14. Other mechanisms : macro chaining, hypertext links, inter-application execution, OLE
    15. Many mechanisms are usable for an infection
    16. All known viral techniques known for Microsoft Office can be translated under OpenOffice.org
    17. Every kind of infection is doable. (Infection and auto-reproduction)
    18. Globaly, OpenOffice's suite is a bigger infection risk than Microsoft's suite.
    19. No real security concepts.
    20. Many functional viral roots were made as proof-of-concept
    21. Infection successful no matter the security setting of the user.
    22. Some senarii can act without alerting the user in any way (scenarii is a stupid plural in French too but they used it in the original)

    Then they go on to explain (still in powerpoint bullets) that they managed to write a macro that sends an e-mail with an attached file which then executed C code which modified dicOOo.

    And they conclude that infection risk under OOo is MAXIMAL and its use should be discouraged for security reasons.

    --
    Slashdot anagrams to "Sad Sloth"
  6. Re:"theoretical" by Red+Alastor · · Score: 4, Informative

    I'm replying to my own post but the other was the translation and this is what I think of it. I think it's bullshit.

    Point number 10, what the fuck ? zip is just a comression format. Point number 11, trusted folders are defined by YOU. So most people don't even have them. But if it's convenient to you to define a folder where all macros are trusted how is it different from accepting every macro while you open the document ? It must be quite convenient for developers who want to test their macros. Most other points ? Way too vague to mean anything. Beside, if the danger for an office suite which isn't really attacked right now is "maximal", how should be classify MS Office ?

    And their famous proof-of-concept... they won't even tell us how they got it to run. My guess is that they defined a trusted folder and put it in.

    Until they reveal that, this document is worthless. Like that other proof-of-concept from I don't remember which AV vendor. Their macro (if you accepted it) would download a porn picture from the net and put it in the document. I guess it's much more dangerous than sending documents with the picture already in.

    --
    Slashdot anagrams to "Sad Sloth"
  7. Re:OPDs and Latex by iabervon · · Score: 3, Informative

    The main problem with LaTeX is that, if you use it for much of anything, you'll never have the patience to deal with a word processor again, and will therefore be unable to work with businesspeople on documents. And you'll be forever annoyed by the minor formatting flaws in everybody else's documents, like when paragraphs spanning page breaks have a single line on one of the pages.