OpenOffice.org Security 'Insufficient'

InfoWorldMike writes "IDG News Service's Robert McMillan reports that researchers at French Ministry of Defense say vulnerabilities with open source office suite OpenOffice.org may rival those of Microsoft's version. With Microsoft's Office suite now being targeted by hackers, researchers at the French Ministry of Defense say users of the OpenOffice.org software may be at even greater risk from computer viruses. "The general security of OpenOffice is insufficient," the researchers wrote in a paper entitled In-depth analysis of the viral threats with OpenOffice.org documents. "This suite is up to now still vulnerable to many potential malware attacks," they wrote. The OpenOffice.org team has already fixed a software bug discovered by the researchers, and the two groups are in discussions about how to improve the overall security of the software. "The one real flaw in the programming logic has been fixed," said Louis Suarez-Potts, an OpenOffice.org community manager. "The others are theoretical.""

"theoretical"

It is disappointing to see a free software project dismissing threats as "theoretical". Today's "theoretical" vulnerabilities are tomorrow's exploits. Worse, the article hints that these threats are fundamental design flaws - the developers should be working to fix these and not issuing PR speak to cover them.

Re:"theoretical"

The PDF presentation that the group gave was en Français, but I got the gist. I'd post a translation, but my French is a little rusty. ;) Anyway, they seem to be saying that because OOo doesn't support authentication certificates for documents or macros, and because OOo has an API that allows you to program in several different languages (Python, VBScript, Perl, C++, etc.) and that OOo has no solid verifiable security model, that the suite is fundamentally insecure.

I can see where some of this gets dismissed as "theoretical" -- for instance, while OOo has such an API, this isn't any more secure or insecure than the fact that other applications, like MySQL, for instance, have a similarly flexible API. Ditto for Microsoft Office or any operating system.

The information on authentication certificates seems a little outdated -- OOo 2.0 supports digital signatures for documents and macros and even security settings that prevent macros from being run that are not signed. I think that as for a solid, verifiable security model, OOo 2.0 seems to have one based on digital signatures.

Re:"theoretical"

I speak French, let me translate.

1. "Official" MS Office competitor.
2. Share of the market rising.
3. Cheap but...
4. What about the real security of OpenOffice ?
5. Viral analysis by proof of concept
6. Numerous integrated programming languages : script shell, VBScript, Python, Perl, Asp, Java.
7. Rich macro developing.
8. Numerous existing hijackable execution points
9. No protection mecanism for macros
10. zip format is makes virus penetration easy.
11. Macro security is easy to bypass. "Trusted" folders are defined. Any macro placed in those folders is by definition, trusted.
12. Document signature do not really consider macros. Bypassing possibilities
13. Macros can be linked to events or services.
14. Other mechanisms : macro chaining, hypertext links, inter-application execution, OLE
15. Many mechanisms are usable for an infection
16. All known viral techniques known for Microsoft Office can be translated under OpenOffice.org
17. Every kind of infection is doable. (Infection and auto-reproduction)
18. Globaly, OpenOffice's suite is a bigger infection risk than Microsoft's suite.
19. No real security concepts.
20. Many functional viral roots were made as proof-of-concept
21. Infection successful no matter the security setting of the user.
22. Some senarii can act without alerting the user in any way (scenarii is a stupid plural in French too but they used it in the original)

Then they go on to explain (still in powerpoint bullets) that they managed to write a macro that sends an e-mail with an attached file which then executed C code which modified dicOOo.

And they conclude that infection risk under OOo is MAXIMAL and its use should be discouraged for security reasons.

Re:"theoretical"

I'm replying to my own post but the other was the translation and this is what I think of it. I think it's bullshit.

Point number 10, what the fuck ? zip is just a comression format. Point number 11, trusted folders are defined by YOU. So most people don't even have them. But if it's convenient to you to define a folder where all macros are trusted how is it different from accepting every macro while you open the document ? It must be quite convenient for developers who want to test their macros. Most other points ? Way too vague to mean anything. Beside, if the danger for an office suite which isn't really attacked right now is "maximal", how should be classify MS Office ?

And their famous proof-of-concept... they won't even tell us how they got it to run. My guess is that they defined a trusted folder and put it in.

Until they reveal that, this document is worthless. Like that other proof-of-concept from I don't remember which AV vendor. Their macro (if you accepted it) would download a porn picture from the net and put it in the document. I guess it's much more dangerous than sending documents with the picture already in.

Re:"theoretical"

Someone needs to explain this to me. Why do office suites need these features? For what are they used? I've never worked in a big office that actually uses the macro and scripting features of productivity software.

Can intra-office communication not be done via RTF? Why do we need document formats that rival PDF and layout-software fileformats in complexity?

It seems like you could avoid all of this using a smaller array of utilities and custom scripts for office productivity, it just strikes me as impossible to create a scriptable, monolithic, document engine that won't have some sort of security hole on some platform. It seems like a cluster of smaller, more agile tools is the way to go.

Re:"theoretical"

I've never worked in a big office that actually uses the macro and scripting features of productivity software.

I worked for a little while for a (very large) organisation that made heavy use of scripting in Office. Every single type of document had an official corporate style. It had a (scripted) wizard that went through and added the sections you want, automatically filled in various bits of it, etc. After five minutes with the wizard you would have a multi-page skeleton document which would then just need text adding.

If I had been implementing the system from scratch, I would have made it intranet-based, with a TeX backend for generating PDFs, but they had an enormous amount invested in the it, and a team working on updating and fixing the templates. It was sometimes a problem ensuring that you had the right version installed (which is why I would go for a client-server model), but even that could probably be fixed by scripting (simply have the wizard check it was the latest version and fetch / install it if now).

Re:"theoretical"

If I had been implementing the system from scratch, I would have made it intranet-based, with a TeX backend for generating PDFs

If I'd been building it, for use with OOo, I'd have given it a backend that generated the OpenDocument data without using any macros within the application. The great thing about having a fully documented, open format like OpenDocument is that you can easily generate and manipulate documents with any tool that's convenient.

Of course, the same is true of TeX, but if you generate OpenDocument format, then you can use OOo to edit and maintain it. In most environments the users are more likely to be comfortable with that than with TeX.

I think the openness of the format actually eliminates many of the reasons that macros are so important in the Microsoft Office world.

Thats a cool thing with open source

If someone finds a bug or flaw, it doesn't take someone else very long to fix it. Now when it comes to corporations, they have to wait to bill you for the next release, and you pay it too because the fix of bugs alone justifies buying the new version.

Re:Thats a cool thing with open source

The cool thing about corporations is that it takes them longer to produce new bugs and set them loose in the wild.

Let me think...

which should I use, hmmmm...
Microsoft's Office Suite IS being attacked.
OpenOffice could, possibly, theorectically, be attacked.

Well

They may find the security of OpenOffice to be insufficient. Their grounds for the finding seem rather questionable to me, given the theoretical nature of said flaws, and the very realized nature of Office security flaws.

I for one find the security of MS Windows as a whole to be insufficient. Quite clearly the only way to achieve a sufficient level of security is to use a patched BSD kernel, and use Vi or Ed for all editing tasks instead of MS Word, OpenOffice, or other similar GUI application.

In many ways, integrated GUI applications have ineffective security compared to segregated command line applications. When you type a command into a computer, you can be a lot clearer as to what the computer will do.

You separate viewing some text from viewing a picture, etc.

Many eyes at work. Sounds like a + not -

This sounds like a strength of the open source model. Many eyes can include security auditors too. The weaknesses get reported and fixed.

The closed source model doesn't offer the same level of opportunity to find flaws. Even when people do find flaws in closed source products the publishers are as likely to bury the report, deny the flaw it exists or use DMCA to sue the people who disclose the problems.

Chalk this up as a win for the open source model... at least for large high visibility projects like Open Office.

The Bad News Is...

...that OpenOffice has security flaws.

The Good News is that in the time it takes the suite to open and load an infected document the malicious hacker has been captured by the FBI, brought to trial, convicted, and a patch made available.

What makes them think MS Office isn't vulnerable?

I'm assuming that the vast majority of these alleged vulnerabilities came about as a result of them examining the source code. Since Microsoft Office is closed source, it may have just as many potential exploits or more. The difference is OO.o's vulnerabilities are known and thus can be guarded against or even patched by a third party. MS Office's potential exploits are unknown and thus may be released as zero-day exploits, and even when they are known we're at the mercy of MS to release a timely and effective patch.

I fail to see how this is a black mark against OpenOffice.org.

MMKay.. Interesting, but..

OpenOffice.org is FREE! FREE I tell you! Given the choice between a known-to-be-vulnerable $200 suite and a hypothetically-vulnerable Freeware suite, I'll take the latter. The day I discovered OO still ranks in the top 10 of my favorite computing moments of my life.

What's the point

in talking about what os/office suite/browser/... has the most bugs. Just report them to the programmers so they can fix them. I mean, this is an open source project. I'm sure they care about critical security bugs...

If a company/project takes 2 years average to fix a bug, that's a problem, but hey - stop spreading blame and start spreading bug reports. That's far more productive.

OO.org is vulnerable

True. Guess the same applies to Abiword. But who will write an Abiword worm?

leaked MS Expense Report

From: sballmer@microsoft.com
To: accounting@microsoft.com

Attached find my receipts for the recent meetings I had with the French Ministry of Defense:

First class plane ticket to Paris: 2100 USD
Swank hotel in Paris: 1800 USD
Dinner for 2 at a spiffy restaurant: 800 USD
Hookers and blow for MoD officials: 5000 USD

Business Justification For Expense: I believe that we will sell ONE MILLION copies of Office to the French MoD.

--Steve

PS If you get a bill from the hotel about a broken chair, it was like that when I got the room, so I don't think we should pay it. Bill said it would be OK.

Gentle Reminder About the Ministry

This is the MINISTRY OF DEFENSE where draconian access control and accounting should be routine.

It's very difficult to go from that environment back to the real world where security is measured by successfully implementing long passwords in a company.

Making the inductive(?) leap that OpenOffice.org is insecure is a really long leap of faith. Are there holes? Probably.

In many ways, this is good news because the open source application is being picked over with a fine tooth comb by a large ministry.

Bring it on!

The imporant news here

... is that France has a Ministry of Defense.

Re:The imporant news here

I disagree. The important news is that they have finally overestimated a threat.

Insecure by association?

My understanding is that a lot of the security problems in MS Office comes from bad design wrt things like macros which make it very hard to secure the system. If OpenOffice is working towards compatibility with MS Office they may be having to deal with the same types of security issues in trying to secure bad macros and such. Thus it makes sense that OpenOffice would be just as, or even more, insecure than OpenOffice, not only do they have many of the same classes of exploits, but they also have greater pressure to rush these features out (for compatibility reasons) and up till now haven't had the motivation of attackers actively exploiting them to force them to spend the necessary time on security.

OPDs and Latex

Well, be careful of Other People's Documents (OPDs)!

I always turn off any live macro support in OpenOffice.org and Microsoft Word, and hope that is good enough security. I also tend to open Word .doc files I receive from other people in OpenOffice.org.

A little off topic, but I have been blogging about this lately: whether I am writing up short project documents or working on a for-fun book project (Ruby AI Programming), I find that just using Latex is much more productive for me. One reason is just seeing raw text (with a little markup) seems less distracting. Also, I find Latex easier to automate for stuff like running external commands and including the output, auto-insert of external files using custom listing styles for programs and for program output, etc. This is great when writing about programming - tweak the code examples, and the next time you run Latex on the main document, the new code versions and new output are included. Sweet. The "overhead" for writing is reduced, giving me more time to post on Slashdot :-)

Re:OPDs and Latex

The main problem with LaTeX is that, if you use it for much of anything, you'll never have the patience to deal with a word processor again, and will therefore be unable to work with businesspeople on documents. And you'll be forever annoyed by the minor formatting flaws in everybody else's documents, like when paragraphs spanning page breaks have a single line on one of the pages.

CVE-2006-2198

I think that the flaw they are talking about is CVE-2006-2198 [mitre.org], which was fixed in OOo-2.0.3. It was pretty nasty, executes arbitray macro without alerting or prompting the user. However, given that the mistake was already found and fixed, what else does the French Ministry of Defence have to complain about?

Re:CVE-2006-2198

I submitted this story to /. a month ago and it was rejected. Back then the MoD stated they were already working with the OpenOffice.org developers to have the appropriate changes made. Apparently it's been completed within the last one or two months. This is old news (by internet standards).

Microsoft or Sun?

From the summary: ...vulnerabilities with open source office suite OpenOffice.org may rival those of Microsoft's version

Microsoft has a version of OpenOffice? Isn't OpenOffice's closed version StarOffice, which is owned by Sun, not MS?

The actual problem is DicOOo

Here's the attack:

Installation d'une fonction offensive C dans la macro DicOOo.
La fonction C est exécutée à l'installation de DicOOo.

"DicOOo" is an installer for dictionaries into OpenOffice. Unfortunately, it seems to have too much power, and can be replaced or induced to install other things. This is an add-on to OpenOffice, and apparently an unsafe one.

Maybe we need to take a step back...

a decade or more, at least.

How about we stop writing word processors and spreadsheets that are capable of running code (other than its own)?

I remember back when I was big on a certain usenet news group, we had a discussion about an email virus. The claim was, when you opened the email (don't recall the name off hand), it would do all sorts of nasty things to your computer, and possibly to your girlfriend/wife/sister/etc. The entire thing was a hoax that preyed on ignorant computer users, and urged them to spread the word.

My argument at the time was basically that an email client could not, or should not execute the text within the email itself, and any client that did, shouldn't be used.

Now I use Outlook on a daily basis, and guess what?

So, let's take a step back to simpler, less efficient applications. Get rid of what causes the vulnerabilities in the first place.

Now where did this box come from?

H.

Alternatives

How secure is MS software that responds to vulnerability discoveries by ignoring them or lying about them, fixing them after months or even several versions (years) later? Because users have to rely on MS to fix them.

Compared to OO.o, which anyone can fix, even the French government itself, but which does fix bugs quickly.

The only problem with open office is

It doesn't have a sales staff that can kiss a ministers ass.

What a productive attitude

Great. A goverment agency sees enough potential in OO.org to spend a probably not insignificant amount of time and money on analysing the code, and what is the reaction around here? Finger pointing. "But MS Office is at least just as bad, yadda yadda yadda".

How constructive. When you were a child and you came back from school with your less-than-stellar marks, did you point at your retarded little cousin and yelled "but Bobs marks are even worse"?

Either refute their points if they are wrong, or suck it up like a man, use the money already spent for the betterment of the project and get your shit together and clean up the mess.

And yes, I know that the people whining around here are probably not the same spending their time coding on OO. Still, this attitude pisses me off.

Consider the source.

Consider the Source -- The French. Need I say more?

8 steps to improve oo.org security

1) Click Tools menu.
2) Click Options.
3) On the left side, click the Security category.
4) Under "OpenOffice.org Basic Script", set "Run macro" to "Never".
5) Under "Hyperlinks", set "Open hyperlinks" to "Never".
6) Under "Java", untick "Enable".
7) Under "Enable", untick "Plug-ins" and untick "Applets".
8) Click OK.

OpenOffice.org will now be configured for best security. Some functionality will not be available. Depending upon your system, you may need to repeat these steps for each user account.

Office's APIs

My sister's fiance is a total Microsoft zealot. He loves that Windows. He told me about some exciting things about Microsoft Office 2007 or something like that. He tells me about these APIs that you can do all this crazy stuff with. In my mind I wonder about why an office suite is supposed all that stuff... thinking if it's an office suite really should do the office functions, and not anything else.

Those APIs maybe one reason why Office is insecure.

OO.o wouldn't try this. They would stick to the UNIX philosophy that each utility should do only one thing, but do it well.

Buffer overflow, not just macros

Read this: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=op enoffice [mitre.org]

Note that 2.0.3 fixes (at least) 3 flaws, one of which involves a buffer overflow that happens when you open any kind of openoffice document: http://www.ngssoftware.com/advisories/high-risk-vu lnerability-in-the-openoffice-suite/ [ngssoftware.com]

Now, this doesn't mean OpenOffice security is bad, or that it's good, it just means that OpenOffice is subject to exactly the same kinds of security issues that happen whenever a complex app parses a complex data format. To pretend that it's somehow magically immune to this class of problem because of open source pixie dust is utter rubbish. Read the code.

Just Turn Macros Off

Why does MS Office have all these fancy features that only a few people use, yet they open up a world of vulnerabilities? I use MS Excel to write a spreadsheet with some basic formulas, and MS Word to write documents that I could just have easily written in WordPad (minus the spell check). Turn off macros by default, and have a generic "you're running a macro and this is unsafe" popup (which I beleive they already do). If the user clicks yes unwittingly, then they're probably too stupid to read the dialog asking them about the signature, and they're screwed anyhow.

Re:Theoretical

Agreed. And I'm sure people are working on it and looking in to it. Even on this fine Sunday evening.

Most likely right at the time when the OO.o devs were sitting down to a nice sunday dinner. Then all of a sudden one looks over at his idling machine and sees that a story about his software has been posted at slashdot "... gasp ... choke ... (insert heimlich meneuver)!"

In theory, an OO developer has just come close to near death to a near exploit found in OO!

Look what you've done! Couldn't this have waited til monday morning?

Re:Which Open Office?

What, The, Fuck? It's only a Microsoft App if Microsoft develops it. There may be a few bugs inherent in the operating system, but that is true with all operating systems. You cannot blame Microsoft for any bug that is not inherent in a product or API they developed. That'd be like blaming Linus for bugs in some newbie's "Hello World!" program. The bugs in firefox you're talking about were an API bug. But, nobody wants to write their own API to do every single function in a program. Especialy when the APIs for other host OSes do not have that particular bug, and the bug isn't known at the time the API is first used.

Re:Which Open Office?

actually it would be better if in the case of a platform specific bug (which this isn't btw) then it should be mentioned that Project Name on Platform

its like cars if a Ford Pinto has a "crash and burn" (>8-)) bug it doesn't effect other Fords but something like tires used (say a certain type of FireStone tires) would effect all Fords (that used those tires

Theoretical means

problem spots you ought to address. These may be areas that need some additional checking etc. but they are not yet practical exploits. They may however be whole classes of exploits in the future.

One can never get rid of all theoretical exploits. What one can do is prevent them from being practical to exploit in general by adding additional checks and countermeasures.

Re:Apples and Oranges

And I'm sure all of anyone's personal files are worthless and wouldn't be missed if they were hacked/destroyed eh?

Seriously, most of the macro viruses affecting Microsoft Office have little to do with system files and everything to do with user files.

It sounds to me like this article raises very valid points.

Someday a lot of Linux users will get off their high horse and realize that their beloved OS isn't as bulletproof as they'd like to believe. Someday....

Meanwhile, OpenOffice.org is cross-platform, so it's bringing it's vulnerabilities to Linux, OS X, *BSD, Windows....

Oh and I run Linux myself (Ubuntu Dapper, Fedora Core 5 & Debian Sid) as well as Windows XP/Vista. This message was made with Ubuntu 6.06.1