Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenOffice.org Security 'Insufficient'

Posted by ryuzaki0 on from the taunting-crowds dept.

InfoWorldMike writes "IDG News Service's Robert McMillan reports that researchers at French Ministry of Defense say vulnerabilities with open source office suite OpenOffice.org may rival those of Microsoft's version. With Microsoft's Office suite now being targeted by hackers, researchers at the French Ministry of Defense say users of the OpenOffice.org software may be at even greater risk from computer viruses. "The general security of OpenOffice is insufficient," the researchers wrote in a paper entitled In-depth analysis of the viral threats with OpenOffice.org documents. "This suite is up to now still vulnerable to many potential malware attacks," they wrote. The OpenOffice.org team has already fixed a software bug discovered by the researchers, and the two groups are in discussions about how to improve the overall security of the software. "The one real flaw in the programming logic has been fixed," said Louis Suarez-Potts, an OpenOffice.org community manager. "The others are theoretical.""

8 of 184 comments (clear)

  1. "theoretical" by dmiller · · Score: 5, Insightful

    It is disappointing to see a free software project dismissing threats as "theoretical". Today's "theoretical" vulnerabilities are tomorrow's exploits. Worse, the article hints that these threats are fundamental design flaws - the developers should be working to fix these and not issuing PR speak to cover them.

    1. Re:"theoretical" by morgan_greywolf · · Score: 5, Informative

      The PDF presentation that the group gave was en Français, but I got the gist. I'd post a translation, but my French is a little rusty. ;) Anyway, they seem to be saying that because OOo doesn't support authentication certificates for documents or macros, and because OOo has an API that allows you to program in several different languages (Python, VBScript, Perl, C++, etc.) and that OOo has no solid verifiable security model, that the suite is fundamentally insecure.

      I can see where some of this gets dismissed as "theoretical" -- for instance, while OOo has such an API, this isn't any more secure or insecure than the fact that other applications, like MySQL, for instance, have a similarly flexible API. Ditto for Microsoft Office or any operating system.

      The information on authentication certificates seems a little outdated -- OOo 2.0 supports digital signatures for documents and macros and even security settings that prevent macros from being run that are not signed. I think that as for a solid, verifiable security model, OOo 2.0 seems to have one based on digital signatures.

      --
      My blog
  2. Let me think... by DumbSwede · · Score: 5, Funny

    which should I use, hmmmm...
    Microsoft's Office Suite IS being attacked.
    OpenOffice could, possibly, theorectically, be attacked.

    --
    Letter To Iran
  3. Many eyes at work. Sounds like a + not - by MCRocker · · Score: 5, Insightful

    This sounds like a strength of the open source model. Many eyes can include security auditors too. The weaknesses get reported and fixed.

    The closed source model doesn't offer the same level of opportunity to find flaws. Even when people do find flaws in closed source products the publishers are as likely to bury the report, deny the flaw it exists or use DMCA to sue the people who disclose the problems.

    Chalk this up as a win for the open source model... at least for large high visibility projects like Open Office.

    --
    Signatures are a waste of bandwi (buffering...)
  4. The Bad News Is... by RobotRunAmok · · Score: 5, Funny

    ...that OpenOffice has security flaws.

    The Good News is that in the time it takes the suite to open and load an infected document the malicious hacker has been captured by the FBI, brought to trial, convicted, and a patch made available.

  5. What makes them think MS Office isn't vulnerable? by foreverdisillusioned · · Score: 5, Insightful

    I'm assuming that the vast majority of these alleged vulnerabilities came about as a result of them examining the source code. Since Microsoft Office is closed source, it may have just as many potential exploits or more. The difference is OO.o's vulnerabilities are known and thus can be guarded against or even patched by a third party. MS Office's potential exploits are unknown and thus may be released as zero-day exploits, and even when they are known we're at the mercy of MS to release a timely and effective patch.

    I fail to see how this is a black mark against OpenOffice.org.

  6. leaked MS Expense Report by Gothmolly · · Score: 5, Funny

    From: sballmer@microsoft.com
    To: accounting@microsoft.com

    Attached find my receipts for the recent meetings I had with the French Ministry of Defense:

    First class plane ticket to Paris: 2100 USD
    Swank hotel in Paris: 1800 USD
    Dinner for 2 at a spiffy restaurant: 800 USD
    Hookers and blow for MoD officials: 5000 USD

    Business Justification For Expense: I believe that we will sell ONE MILLION copies of Office to the French MoD.

    --Steve

    PS If you get a bill from the hotel about a broken chair, it was like that when I got the room, so I don't think we should pay it. Bill said it would be OK.

    --
    I want to delete my account but Slashdot doesn't allow it.
  7. Maybe we need to take a step back... by Harker · · Score: 5, Interesting

    a decade or more, at least.

    How about we stop writing word processors and spreadsheets that are capable of running code (other than its own)?

    I remember back when I was big on a certain usenet news group, we had a discussion about an email virus. The claim was, when you opened the email (don't recall the name off hand), it would do all sorts of nasty things to your computer, and possibly to your girlfriend/wife/sister/etc. The entire thing was a hoax that preyed on ignorant computer users, and urged them to spread the word.

    My argument at the time was basically that an email client could not, or should not execute the text within the email itself, and any client that did, shouldn't be used.

    Now I use Outlook on a daily basis, and guess what?

    So, let's take a step back to simpler, less efficient applications. Get rid of what causes the vulnerabilities in the first place.

    Now where did this box come from?

    H.

    --
    When VCR's are outlawed, only outlaws will have VCR's.