OpenOffice.org Security 'Insufficient'

InfoWorldMike writes "IDG News Service's Robert McMillan reports that researchers at French Ministry of Defense say vulnerabilities with open source office suite OpenOffice.org may rival those of Microsoft's version. With Microsoft's Office suite now being targeted by hackers, researchers at the French Ministry of Defense say users of the OpenOffice.org software may be at even greater risk from computer viruses. "The general security of OpenOffice is insufficient," the researchers wrote in a paper entitled In-depth analysis of the viral threats with OpenOffice.org documents. "This suite is up to now still vulnerable to many potential malware attacks," they wrote. The OpenOffice.org team has already fixed a software bug discovered by the researchers, and the two groups are in discussions about how to improve the overall security of the software. "The one real flaw in the programming logic has been fixed," said Louis Suarez-Potts, an OpenOffice.org community manager. "The others are theoretical.""

Maybe we need to take a step back...

[Harker]

a decade or more, at least.

How about we stop writing word processors and spreadsheets that are capable of running code (other than its own)?

I remember back when I was big on a certain usenet news group, we had a discussion about an email virus. The claim was, when you opened the email (don't recall the name off hand), it would do all sorts of nasty things to your computer, and possibly to your girlfriend/wife/sister/etc. The entire thing was a hoax that preyed on ignorant computer users, and urged them to spread the word.

My argument at the time was basically that an email client could not, or should not execute the text within the email itself, and any client that did, shouldn't be used.

Now I use Outlook on a daily basis, and guess what?

So, let's take a step back to simpler, less efficient applications. Get rid of what causes the vulnerabilities in the first place.

Now where did this box come from?

H.

Alternatives

[Doc+Ruby]

How secure is MS software that responds to vulnerability discoveries by ignoring them or lying about them, fixing them after months or even several versions (years) later? Because users have to rely on MS to fix them.

Compared to OO.o, which anyone can fix, even the French government itself, but which does fix bugs quickly.

Re:"theoretical"

[TheRaven64]

I've never worked in a big office that actually uses the macro and scripting features of productivity software.

I worked for a little while for a (very large) organisation that made heavy use of scripting in Office. Every single type of document had an official corporate style. It had a (scripted) wizard that went through and added the sections you want, automatically filled in various bits of it, etc. After five minutes with the wizard you would have a multi-page skeleton document which would then just need text adding.

If I had been implementing the system from scratch, I would have made it intranet-based, with a TeX backend for generating PDFs, but they had an enormous amount invested in the it, and a team working on updating and fixing the templates. It was sometimes a problem ensuring that you had the right version installed (which is why I would go for a client-server model), but even that could probably be fixed by scripting (simply have the wizard check it was the latest version and fetch / install it if now).

Just Turn Macros Off

[xdxfp]

Why does MS Office have all these fancy features that only a few people use, yet they open up a world of vulnerabilities? I use MS Excel to write a spreadsheet with some basic formulas, and MS Word to write documents that I could just have easily written in WordPad (minus the spell check). Turn off macros by default, and have a generic "you're running a macro and this is unsafe" popup (which I beleive they already do). If the user clicks yes unwittingly, then they're probably too stupid to read the dialog asking them about the signature, and they're screwed anyhow.