OpenOffice.org Security 'Insufficient'

InfoWorldMike writes "IDG News Service's Robert McMillan reports that researchers at French Ministry of Defense say vulnerabilities with open source office suite OpenOffice.org may rival those of Microsoft's version. With Microsoft's Office suite now being targeted by hackers, researchers at the French Ministry of Defense say users of the OpenOffice.org software may be at even greater risk from computer viruses. "The general security of OpenOffice is insufficient," the researchers wrote in a paper entitled In-depth analysis of the viral threats with OpenOffice.org documents. "This suite is up to now still vulnerable to many potential malware attacks," they wrote. The OpenOffice.org team has already fixed a software bug discovered by the researchers, and the two groups are in discussions about how to improve the overall security of the software. "The one real flaw in the programming logic has been fixed," said Louis Suarez-Potts, an OpenOffice.org community manager. "The others are theoretical.""

"theoretical"

[dmiller]

It is disappointing to see a free software project dismissing threats as "theoretical". Today's "theoretical" vulnerabilities are tomorrow's exploits. Worse, the article hints that these threats are fundamental design flaws - the developers should be working to fix these and not issuing PR speak to cover them.

Re:"theoretical"

[colmore]

Someone needs to explain this to me. Why do office suites need these features? For what are they used? I've never worked in a big office that actually uses the macro and scripting features of productivity software.

Can intra-office communication not be done via RTF? Why do we need document formats that rival PDF and layout-software fileformats in complexity?

It seems like you could avoid all of this using a smaller array of utilities and custom scripts for office productivity, it just strikes me as impossible to create a scriptable, monolithic, document engine that won't have some sort of security hole on some platform. It seems like a cluster of smaller, more agile tools is the way to go.

Re:"theoretical"

[Marcion]

It seems to be OpenOffice on Windows. I have 64bit Linux, behind an Selinux hardened firewall - nothing is able to exploit office software from over the network. I send out documents in PDF format. People likewise send me docs in PDF or text (or Word arrr). If I was sent an ODF then I would probably open it with Abiword, is the macro going to exploit that, what about Koffice?

Not being part of the software monoculture has enough security benefits that I doubt it would ever pay to attack us when there are enough Windows zombies out there to get first.

Re:"theoretical"

[Planesdragon]

I think it's quite simple: don't mix data and code.

Data and code are fundamentally linked. You can put an artificial barrier between them, but that doesn't do much if you lose functionality by doing so.

Let's say that I've got an Excel Sheet (I do) that needs to call a custom function that Excel doesn't ship with (I do, as well). While it would, in theory, be possible to move that code to a seperate macro in a "code" file somewhere, I'd still have to find a way to let anyone who opens my document get at that code file.

MS Office et al have scripting built right in because a good portion of what a good office does is make tools to simplify their work, and those tools are usually so simple that they only make sense to write down at the user level.

FWIW, the french are right. OOo is a security risk--just like a user is. Presume that they might introduce a horrible silicon-melting virus, and plan your security accordingly.

Re:"theoretical"

[swillden]

If I had been implementing the system from scratch, I would have made it intranet-based, with a TeX backend for generating PDFs

If I'd been building it, for use with OOo, I'd have given it a backend that generated the OpenDocument data without using any macros within the application. The great thing about having a fully documented, open format like OpenDocument is that you can easily generate and manipulate documents with any tool that's convenient.

Of course, the same is true of TeX, but if you generate OpenDocument format, then you can use OOo to edit and maintain it. In most environments the users are more likely to be comfortable with that than with TeX.

I think the openness of the format actually eliminates many of the reasons that macros are so important in the Microsoft Office world.

Thats a cool thing with open source

[CrazyJim1]

If someone finds a bug or flaw, it doesn't take someone else very long to fix it. Now when it comes to corporations, they have to wait to bill you for the next release, and you pay it too because the fix of bugs alone justifies buying the new version.

Re:Thats a cool thing with open source

[daniil]

The cool thing about corporations is that it takes them longer to produce new bugs and set them loose in the wild.

Re:Thats a cool thing with open source

[Pharmboy]

Or they issue a hotfix that's automatically downloaded and installed.

You forgot to add " but often breaks some other piece of software."

Re:Thats a cool thing with open source

[DrXym]

If someone finds a bug or flaw, it doesn't take someone else very long to fix it. Now when it comes to corporations, they have to wait to bill you for the next release, and you pay it too because the fix of bugs alone justifies buying the new version.

The problem with Open Office is that someone could check the fix in tonight but you wouldn't necessarily see a 2.04 until whenever they felt like releasing it which could be months or more. So really it's irrelevant in that situation that you're dealing with open source or closed source.

What OOo should do is implement some form of patching mechanism, similar to Firefox. Then they can have their firedrills and dump out a small, precision patch and innoculate much of their userbase before any harm can be done.

If I were OpenOffice, I'd also be questioning the need to support StarBasic AND Python AND Java AND BeanShell AND JavaScript (two versions) for the same product. While it's understandable there are certainly legacy reasons for doing so, I wonder if all these languages shouldn't be reined in a bit. My understanding is that JS, Basic & BeanShell can be embedded in documents, so if I were looking to break OO I'd be looking to see what objects had been exposed in these scripting languages.

Many eyes at work. Sounds like a + not -

[MCRocker]

This sounds like a strength of the open source model. Many eyes can include security auditors too. The weaknesses get reported and fixed.

The closed source model doesn't offer the same level of opportunity to find flaws. Even when people do find flaws in closed source products the publishers are as likely to bury the report, deny the flaw it exists or use DMCA to sue the people who disclose the problems.

Chalk this up as a win for the open source model... at least for large high visibility projects like Open Office.

What makes them think MS Office isn't vulnerable?

[foreverdisillusioned]

I'm assuming that the vast majority of these alleged vulnerabilities came about as a result of them examining the source code. Since Microsoft Office is closed source, it may have just as many potential exploits or more. The difference is OO.o's vulnerabilities are known and thus can be guarded against or even patched by a third party. MS Office's potential exploits are unknown and thus may be released as zero-day exploits, and even when they are known we're at the mercy of MS to release a timely and effective patch.

I fail to see how this is a black mark against OpenOffice.org.

Re:What makes them think MS Office isn't vulnerabl

[NihilEst]

I fail to see how this is a black mark against OpenOffice.org.

I don't either. But you know that if MS (or its shills) can make it appear so, they will.

OO.org is vulnerable

[Elektroschock]

True. Guess the same applies to Abiword. But who will write an Abiword worm?

Gentle Reminder About the Ministry

[mpapet]

This is the MINISTRY OF DEFENSE where draconian access control and accounting should be routine.

It's very difficult to go from that environment back to the real world where security is measured by successfully implementing long passwords in a company.

Making the inductive(?) leap that OpenOffice.org is insecure is a really long leap of faith. Are there holes? Probably.

In many ways, this is good news because the open source application is being picked over with a fine tooth comb by a large ministry.

Bring it on!

Insecure by association?

[quantaman]

My understanding is that a lot of the security problems in MS Office comes from bad design wrt things like macros which make it very hard to secure the system. If OpenOffice is working towards compatibility with MS Office they may be having to deal with the same types of security issues in trying to secure bad macros and such. Thus it makes sense that OpenOffice would be just as, or even more, insecure than OpenOffice, not only do they have many of the same classes of exploits, but they also have greater pressure to rush these features out (for compatibility reasons) and up till now haven't had the motivation of attackers actively exploiting them to force them to spend the necessary time on security.

The goal isn't to be better, it's to be good

[tfried]

I fail to see how this is a black mark against OpenOffice.org

I don't think that's (neccessarily) the point. Whatever MS does about their Office security flaws does not really concern me any longer. There's almost nothing that could ever make me use MS Office again. But so what. The point isn't which suite is better, the point is: OpenOffice.org still has flaws, and those should be fixed. In this context the statement "The [other flaws] are theoretical" does not make me feel good. I want even theoretical flaws to be taken serious, so they won't become real ones ever, if possible to avoid. I just hope the OO.o team does not concentrate too much on having the better PR, but also on having a good product.

Disclaimer: I don't have the slightest clue about OOo security in general, and the "theoretical" flaws in particular, so possible they may in fact be nothing to worry about. If you convince me this is the case, or I'm just mis-interpreting the quote, I'll happily shut up.

Re:What makes them think MS Office isn't vulnerabl

[miro+f]

I suppose you can guard against it, in the sense of "never open a document from anybody you don't trust". Of course, if that advice were offered as a solution to similar problems with a MSFT product, the person offering it would rightly be laughed out of the room.

Funny, I've heard that advice many times and never any laughing. This is the kind of advice you follow for everything when working in windows. Don't open a document from someone you don't trust, don't go to a website you don't trust, don't open an attachment from someone you don't trust (you even have to be careful opening attachments from people you DO trust)

In fact if anyone's being laughed out of the room for this advice it's because everyone with any common sense has been following this advice since the first computer ever connected itself to the Internet.

Re:Many eyes at work. Sounds like a + not -

[someone300]

Well, considering that a higher proportion of the users of OSS will contribute fixes and bug reports than the equivelant for proprietary software, it doesn't matter as much if fewer of the main programming team are always available. Also, companies that are worried can fix security threats internally and submit the changes back. I'm not a major OSS developer but I've contributed many bug reports to GNOME and some to the linux kernel, and they've all been fixed. I have submitted some usability improvements in patch form too, which can't be done with proprietary stuff. Sure I'm only one person, but if you get even a tiny proportion of the users of a popular piece of software willing to get messy with the code, then it's a positive thing.

The problem I find with most proprietary apps isn't the development model as such, but there's rarely a clear place to forward suggestions and bug reports. For Microsoft software you get the crasher bug reporting with their "Send error report" thing, but there are far many more types of bug that you can submit to bugzilla on most projects (Crasher, usability, suggestion, glitch, etc.). I have seen some Microsoft projects with places to send reports and suggestions, as I have other proprietary stuff, it's just that it usually much less polished if it exists at all.

Re:Many eyes at work. Sounds like a + not -

[MCRocker]

"This sounds like a strength of the open source model. Many eyes can include security auditors too. The weaknesses get reported and fixed."

This seems to be the call of the open source zealout, but it is not reality. 99% of the people using Open Office are users. The other 1% contain people that might have the ability to look at it, but may not have the time or patience.

Right... as compared to closed source, where 0% have the capability of auditing the source code.

Of course, things aren't as black and white as either of our initial comments make things seem. The edge is a bit blurred these days as even Microsoft does have a 'shared source' initiative to allow some interested parties to have a look and those just happen to be some of the most likely ones to actually be motivated and qualified to find and implement fixes. However, openness as the default stance does seem to make a lot more sense because even one's critics can look at the code and make an assessment.

I have been involved with many open source projects over the past couple of years and it usually ends up like this:

1) someone emails a bug to the main programming team
2) someone on the programming team (when they have time..since it is a volunteer position) will look through the code and make the changes
3) rinse and repeat

That sounds a lot like the proprietary model except that the 'when they have time' gets replaced with 'if they get budget approval'. I've worked on proprietary software and know, first hand, that development costs are usually dwarfed by customer support costs. In many projects, bugs only get fixed if there's a good business case for the fix.

Either way, resources have to be available, but they can come from outside of the core organization in the case of open source projects. If some customer thinks something is important enough for them, they can always go out and fix themselves. With a commercial program if they aren't a big enough account to make a ripple at headquarters, then it'll never get fixed unless it happens to pop up on the radar of someone more important. Sure, companies that will do this are few and far between, but at least they do have the option. Heaven help them if they decide that they like the legacy version that they've been using for years and haven't ponied up for the forced upgrade to the latest and greatest or even worse, if the company has gone bankrupt and the software is no longer available. At least with source they have a fighting chance.

One of the biggest factors in all of this is the size of the projects. Small open source projects tend to be fairly poorly supported, not as a rule, but in general. Small proprietary programs often have very little support at all and tend to be discontinued. Large, sexy, open source projects get a lot of visibility and tend to benefit from lots of participation and feedback. Large, profitable, proprietary projects tend to have enough paying customers who complain about enough bugs that there's some pressure to get them fixed. Counter examples of all four cases abound, but in general... size matters.

So, perhaps arguments about open vs. closed are really about secondary effects rather than the primary effects.

"Chalk this up as a win for the open source model... at least for large high visibility projects like Open Office."

Not really. Many proprietary apps still have people that can and do find flaws (much in the same way they find them in open source apps. Sure, the source code helps, but I would imagine it's easy for many of the security experts to test it from the outside).

Sure, SOME proprietary software makes SOME of their code available to A FEW reviewers, but as I wrote above, open by default means that even unexpected sources capable of performing audits and code contribution.

"The closed source model doesn'