OpenOffice.org Security 'Insufficient'

InfoWorldMike writes "IDG News Service's Robert McMillan reports that researchers at French Ministry of Defense say vulnerabilities with open source office suite OpenOffice.org may rival those of Microsoft's version. With Microsoft's Office suite now being targeted by hackers, researchers at the French Ministry of Defense say users of the OpenOffice.org software may be at even greater risk from computer viruses. "The general security of OpenOffice is insufficient," the researchers wrote in a paper entitled In-depth analysis of the viral threats with OpenOffice.org documents. "This suite is up to now still vulnerable to many potential malware attacks," they wrote. The OpenOffice.org team has already fixed a software bug discovered by the researchers, and the two groups are in discussions about how to improve the overall security of the software. "The one real flaw in the programming logic has been fixed," said Louis Suarez-Potts, an OpenOffice.org community manager. "The others are theoretical.""

"theoretical"

[dmiller]

It is disappointing to see a free software project dismissing threats as "theoretical". Today's "theoretical" vulnerabilities are tomorrow's exploits. Worse, the article hints that these threats are fundamental design flaws - the developers should be working to fix these and not issuing PR speak to cover them.

Re:"theoretical"

[colmore]

Someone needs to explain this to me. Why do office suites need these features? For what are they used? I've never worked in a big office that actually uses the macro and scripting features of productivity software.

Can intra-office communication not be done via RTF? Why do we need document formats that rival PDF and layout-software fileformats in complexity?

It seems like you could avoid all of this using a smaller array of utilities and custom scripts for office productivity, it just strikes me as impossible to create a scriptable, monolithic, document engine that won't have some sort of security hole on some platform. It seems like a cluster of smaller, more agile tools is the way to go.

Re:"theoretical"

[swillden]

If I had been implementing the system from scratch, I would have made it intranet-based, with a TeX backend for generating PDFs

If I'd been building it, for use with OOo, I'd have given it a backend that generated the OpenDocument data without using any macros within the application. The great thing about having a fully documented, open format like OpenDocument is that you can easily generate and manipulate documents with any tool that's convenient.

Of course, the same is true of TeX, but if you generate OpenDocument format, then you can use OOo to edit and maintain it. In most environments the users are more likely to be comfortable with that than with TeX.

I think the openness of the format actually eliminates many of the reasons that macros are so important in the Microsoft Office world.

Thats a cool thing with open source

[CrazyJim1]

If someone finds a bug or flaw, it doesn't take someone else very long to fix it. Now when it comes to corporations, they have to wait to bill you for the next release, and you pay it too because the fix of bugs alone justifies buying the new version.

Re:Thats a cool thing with open source

[daniil]

The cool thing about corporations is that it takes them longer to produce new bugs and set them loose in the wild.

Many eyes at work. Sounds like a + not -

[MCRocker]

This sounds like a strength of the open source model. Many eyes can include security auditors too. The weaknesses get reported and fixed.

The closed source model doesn't offer the same level of opportunity to find flaws. Even when people do find flaws in closed source products the publishers are as likely to bury the report, deny the flaw it exists or use DMCA to sue the people who disclose the problems.

Chalk this up as a win for the open source model... at least for large high visibility projects like Open Office.

What makes them think MS Office isn't vulnerable?

[foreverdisillusioned]

I'm assuming that the vast majority of these alleged vulnerabilities came about as a result of them examining the source code. Since Microsoft Office is closed source, it may have just as many potential exploits or more. The difference is OO.o's vulnerabilities are known and thus can be guarded against or even patched by a third party. MS Office's potential exploits are unknown and thus may be released as zero-day exploits, and even when they are known we're at the mercy of MS to release a timely and effective patch.

I fail to see how this is a black mark against OpenOffice.org.

OO.org is vulnerable

[Elektroschock]

True. Guess the same applies to Abiword. But who will write an Abiword worm?

Gentle Reminder About the Ministry

[mpapet]

This is the MINISTRY OF DEFENSE where draconian access control and accounting should be routine.

It's very difficult to go from that environment back to the real world where security is measured by successfully implementing long passwords in a company.

Making the inductive(?) leap that OpenOffice.org is insecure is a really long leap of faith. Are there holes? Probably.

In many ways, this is good news because the open source application is being picked over with a fine tooth comb by a large ministry.

Bring it on!

Insecure by association?

[quantaman]

My understanding is that a lot of the security problems in MS Office comes from bad design wrt things like macros which make it very hard to secure the system. If OpenOffice is working towards compatibility with MS Office they may be having to deal with the same types of security issues in trying to secure bad macros and such. Thus it makes sense that OpenOffice would be just as, or even more, insecure than OpenOffice, not only do they have many of the same classes of exploits, but they also have greater pressure to rush these features out (for compatibility reasons) and up till now haven't had the motivation of attackers actively exploiting them to force them to spend the necessary time on security.