Slashdot Mirror
OpenOffice.org Security 'Insufficient'
InfoWorldMike writes "IDG News Service's Robert McMillan reports that researchers at French Ministry of Defense say vulnerabilities with open source office suite OpenOffice.org may rival those of Microsoft's version. With Microsoft's Office suite now being targeted by hackers, researchers at the French Ministry of Defense say users of the OpenOffice.org software may be at even greater risk from computer viruses. "The general security of OpenOffice is insufficient," the researchers wrote in a paper entitled In-depth analysis of the viral threats with OpenOffice.org documents. "This suite is up to now still vulnerable to many potential malware attacks," they wrote. The OpenOffice.org team has already fixed a software bug discovered by the researchers, and the two groups are in discussions about how to improve the overall security of the software. "The one real flaw in the programming logic has been fixed," said Louis Suarez-Potts, an OpenOffice.org community manager. "The others are theoretical.""
It is disappointing to see a free software project dismissing threats as "theoretical". Today's "theoretical" vulnerabilities are tomorrow's exploits. Worse, the article hints that these threats are fundamental design flaws - the developers should be working to fix these and not issuing PR speak to cover them.
If someone finds a bug or flaw, it doesn't take someone else very long to fix it. Now when it comes to corporations, they have to wait to bill you for the next release, and you pay it too because the fix of bugs alone justifies buying the new version.
God spoke to me.
which should I use, hmmmm...
Microsoft's Office Suite IS being attacked.
OpenOffice could, possibly, theorectically, be attacked.
Letter To Iran
This sounds like a strength of the open source model. Many eyes can include security auditors too. The weaknesses get reported and fixed.
The closed source model doesn't offer the same level of opportunity to find flaws. Even when people do find flaws in closed source products the publishers are as likely to bury the report, deny the flaw it exists or use DMCA to sue the people who disclose the problems.
Chalk this up as a win for the open source model... at least for large high visibility projects like Open Office.
Signatures are a waste of bandwi (buffering...)
...that OpenOffice has security flaws.
The Good News is that in the time it takes the suite to open and load an infected document the malicious hacker has been captured by the FBI, brought to trial, convicted, and a patch made available.
I'm assuming that the vast majority of these alleged vulnerabilities came about as a result of them examining the source code. Since Microsoft Office is closed source, it may have just as many potential exploits or more. The difference is OO.o's vulnerabilities are known and thus can be guarded against or even patched by a third party. MS Office's potential exploits are unknown and thus may be released as zero-day exploits, and even when they are known we're at the mercy of MS to release a timely and effective patch.
I fail to see how this is a black mark against OpenOffice.org.
OpenOffice.org is FREE! FREE I tell you! Given the choice between a known-to-be-vulnerable $200 suite and a hypothetically-vulnerable Freeware suite, I'll take the latter. The day I discovered OO still ranks in the top 10 of my favorite computing moments of my life.
the mods may say you posted flamebait, but to me it's a flame that warms my heart. rock on, brother! --chebucto
I don't either. But you know that if MS (or its shills) can make it appear so, they will.
Founding member: He-Man Windoze Hater Club
True. Guess the same applies to Abiword. But who will write an Abiword worm?
From: sballmer@microsoft.com
To: accounting@microsoft.com
Attached find my receipts for the recent meetings I had with the French Ministry of Defense:
First class plane ticket to Paris: 2100 USD
Swank hotel in Paris: 1800 USD
Dinner for 2 at a spiffy restaurant: 800 USD
Hookers and blow for MoD officials: 5000 USD
Business Justification For Expense: I believe that we will sell ONE MILLION copies of Office to the French MoD.
--Steve
PS If you get a bill from the hotel about a broken chair, it was like that when I got the room, so I don't think we should pay it. Bill said it would be OK.
I want to delete my account but Slashdot doesn't allow it.
This is the MINISTRY OF DEFENSE where draconian access control and accounting should be routine.
It's very difficult to go from that environment back to the real world where security is measured by successfully implementing long passwords in a company.
Making the inductive(?) leap that OpenOffice.org is insecure is a really long leap of faith. Are there holes? Probably.
In many ways, this is good news because the open source application is being picked over with a fine tooth comb by a large ministry.
Bring it on!
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
... is that France has a Ministry of Defense.
My understanding is that a lot of the security problems in MS Office comes from bad design wrt things like macros which make it very hard to secure the system. If OpenOffice is working towards compatibility with MS Office they may be having to deal with the same types of security issues in trying to secure bad macros and such. Thus it makes sense that OpenOffice would be just as, or even more, insecure than OpenOffice, not only do they have many of the same classes of exploits, but they also have greater pressure to rush these features out (for compatibility reasons) and up till now haven't had the motivation of attackers actively exploiting them to force them to spend the necessary time on security.
I stole this Sig
I think that the flaw they are talking about is CVE-2006-2198, which was fixed in OOo-2.0.3. It was pretty nasty, executes arbitray macro without alerting or prompting the user. However, given that the mistake was already found and fixed, what else does the French Ministry of Defence have to complain about?
Installation d'une fonction offensive C dans la macro DicOOo.
La fonction C est exécutée à l'installation de DicOOo.
"DicOOo" is an installer for dictionaries into OpenOffice. Unfortunately, it seems to have too much power, and can be replaced or induced to install other things. This is an add-on to OpenOffice, and apparently an unsafe one.
a decade or more, at least.
How about we stop writing word processors and spreadsheets that are capable of running code (other than its own)?
I remember back when I was big on a certain usenet news group, we had a discussion about an email virus. The claim was, when you opened the email (don't recall the name off hand), it would do all sorts of nasty things to your computer, and possibly to your girlfriend/wife/sister/etc. The entire thing was a hoax that preyed on ignorant computer users, and urged them to spread the word.
My argument at the time was basically that an email client could not, or should not execute the text within the email itself, and any client that did, shouldn't be used.
Now I use Outlook on a daily basis, and guess what?
So, let's take a step back to simpler, less efficient applications. Get rid of what causes the vulnerabilities in the first place.
Now where did this box come from?
H.
When VCR's are outlawed, only outlaws will have VCR's.
How secure is MS software that responds to vulnerability discoveries by ignoring them or lying about them, fixing them after months or even several versions (years) later? Because users have to rely on MS to fix them.
Compared to OO.o, which anyone can fix, even the French government itself, but which does fix bugs quickly.
--
make install -not war
It doesn't have a sales staff that can kiss a ministers ass.
"This sounds like a strength of the open source model. Many eyes can include security auditors too. The weaknesses get reported and fixed."
This seems to be the call of the open source zealout, but it is not reality. 99% of the people using Open Office are users. The other 1% contain people that might have the ability to look at it, but may not have the time or patience.
I have been involved with many open source projects over the past couple of years and it usually ends up like this:
1) someone emails a bug to the main programming team
2) someone on the programming team (when they have time..since it is a volunteer position) will look through the code and make the changes
3) rinse and repeat
Proprietary apps actually seem to be better in this respect because at least the main programming team is usually working on it full time and can implement changes in a timely fashion (because they aren't working other jobs). In bigger corporations, this does not always happen because of corporate BS.
"Chalk this up as a win for the open source model... at least for large high visibility projects like Open Office."
Not really. Many proprietary apps still have people that can and do find flaws (much in the same way they find them in open source apps. Sure, the source code helps, but I would imagine it's easy for many of the security experts to test it from the outside).
"The closed source model doesn't offer the same level of opportunity to find flaws. Even when people do find flaws in closed source products the publishers are as likely to bury the report, deny the flaw it exists or use DMCA to sue the people who disclose the problems"
so why did the people at openoffice.org pass many of the flaws off as theoretical?
I fail to see how this is a black mark against OpenOffice.org
I don't think that's (neccessarily) the point. Whatever MS does about their Office security flaws does not really concern me any longer. There's almost nothing that could ever make me use MS Office again. But so what. The point isn't which suite is better, the point is: OpenOffice.org still has flaws, and those should be fixed. In this context the statement "The [other flaws] are theoretical" does not make me feel good. I want even theoretical flaws to be taken serious, so they won't become real ones ever, if possible to avoid. I just hope the OO.o team does not concentrate too much on having the better PR, but also on having a good product.
Disclaimer: I don't have the slightest clue about OOo security in general, and the "theoretical" flaws in particular, so possible they may in fact be nothing to worry about. If you convince me this is the case, or I'm just mis-interpreting the quote, I'll happily shut up.
... is that when they do have a security 'fix', they force you to update by downloading the entire suite... they don't have differential patches. I personally get sick and tired of having to download around 100 MBytes of app, uninstall the original, and re-install the new. Granted on my Linux box the package updater will do all three, but the updater takes forever to download the files. Quite frankly it is a pain in the ass. Sometimes I delay installing an update because of it (sometimes quite a while). Other than OO, I really am pretty diligent about updating my systems, so I can imagine there are those who just won't bother updating OO at all. I would think this is especially for those who are still on dial-up where a 100 meg download can take many, many hours.
In my opinion, if they want to say they get fixes out quickly, I can call bullshit. Just because you have the code complete doesn't mean the fix is complete. It still needs to be distributed to all the installations. If this is not done because the process is so onerous, then you can't say the fix is released faster than M$. As much as dislike monopolies, they do make the update process a lot less painful.
That said, it is a pretty decent office suite.
-- I ignore anonymous replies to my comments and postings.
The main problem with LaTeX is that, if you use it for much of anything, you'll never have the patience to deal with a word processor again, and will therefore be unable to work with businesspeople on documents. And you'll be forever annoyed by the minor formatting flaws in everybody else's documents, like when paragraphs spanning page breaks have a single line on one of the pages.
Funny, I've heard that advice many times and never any laughing. This is the kind of advice you follow for everything when working in windows. Don't open a document from someone you don't trust, don't go to a website you don't trust, don't open an attachment from someone you don't trust (you even have to be careful opening attachments from people you DO trust)
In fact if anyone's being laughed out of the room for this advice it's because everyone with any common sense has been following this advice since the first computer ever connected itself to the Internet.
being vague is almost as cool as doing that other thing...
Well, considering that a higher proportion of the users of OSS will contribute fixes and bug reports than the equivelant for proprietary software, it doesn't matter as much if fewer of the main programming team are always available. Also, companies that are worried can fix security threats internally and submit the changes back. I'm not a major OSS developer but I've contributed many bug reports to GNOME and some to the linux kernel, and they've all been fixed. I have submitted some usability improvements in patch form too, which can't be done with proprietary stuff. Sure I'm only one person, but if you get even a tiny proportion of the users of a popular piece of software willing to get messy with the code, then it's a positive thing.
The problem I find with most proprietary apps isn't the development model as such, but there's rarely a clear place to forward suggestions and bug reports. For Microsoft software you get the crasher bug reporting with their "Send error report" thing, but there are far many more types of bug that you can submit to bugzilla on most projects (Crasher, usability, suggestion, glitch, etc.). I have seen some Microsoft projects with places to send reports and suggestions, as I have other proprietary stuff, it's just that it usually much less polished if it exists at all.
Right... as compared to closed source, where 0% have the capability of auditing the source code.
Of course, things aren't as black and white as either of our initial comments make things seem. The edge is a bit blurred these days as even Microsoft does have a 'shared source' initiative to allow some interested parties to have a look and those just happen to be some of the most likely ones to actually be motivated and qualified to find and implement fixes. However, openness as the default stance does seem to make a lot more sense because even one's critics can look at the code and make an assessment.
That sounds a lot like the proprietary model except that the 'when they have time' gets replaced with 'if they get budget approval'. I've worked on proprietary software and know, first hand, that development costs are usually dwarfed by customer support costs. In many projects, bugs only get fixed if there's a good business case for the fix.
Either way, resources have to be available, but they can come from outside of the core organization in the case of open source projects. If some customer thinks something is important enough for them, they can always go out and fix themselves. With a commercial program if they aren't a big enough account to make a ripple at headquarters, then it'll never get fixed unless it happens to pop up on the radar of someone more important. Sure, companies that will do this are few and far between, but at least they do have the option. Heaven help them if they decide that they like the legacy version that they've been using for years and haven't ponied up for the forced upgrade to the latest and greatest or even worse, if the company has gone bankrupt and the software is no longer available. At least with source they have a fighting chance.
One of the biggest factors in all of this is the size of the projects. Small open source projects tend to be fairly poorly supported, not as a rule, but in general. Small proprietary programs often have very little support at all and tend to be discontinued. Large, sexy, open source projects get a lot of visibility and tend to benefit from lots of participation and feedback. Large, profitable, proprietary projects tend to have enough paying customers who complain about enough bugs that there's some pressure to get them fixed. Counter examples of all four cases abound, but in general... size matters.
So, perhaps arguments about open vs. closed are really about secondary effects rather than the primary effects.
Sure, SOME proprietary software makes SOME of their code available to A FEW reviewers, but as I wrote above, open by default means that even unexpected sources capable of performing audits and code contribution.
Signatures are a waste of bandwi (buffering...)
Why does MS Office have all these fancy features that only a few people use, yet they open up a world of vulnerabilities? I use MS Excel to write a spreadsheet with some basic formulas, and MS Word to write documents that I could just have easily written in WordPad (minus the spell check). Turn off macros by default, and have a generic "you're running a macro and this is unsafe" popup (which I beleive they already do). If the user clicks yes unwittingly, then they're probably too stupid to read the dialog asking them about the signature, and they're screwed anyhow.
HRESULT WinAPIGetSystemProcessThreadMetricsMenu...
LibraryVolumeModuleHandlePtrEx(PHSPTMMLVM PHndl);