OpenOffice.org Security 'Insufficient'

InfoWorldMike writes "IDG News Service's Robert McMillan reports that researchers at French Ministry of Defense say vulnerabilities with open source office suite OpenOffice.org may rival those of Microsoft's version. With Microsoft's Office suite now being targeted by hackers, researchers at the French Ministry of Defense say users of the OpenOffice.org software may be at even greater risk from computer viruses. "The general security of OpenOffice is insufficient," the researchers wrote in a paper entitled In-depth analysis of the viral threats with OpenOffice.org documents. "This suite is up to now still vulnerable to many potential malware attacks," they wrote. The OpenOffice.org team has already fixed a software bug discovered by the researchers, and the two groups are in discussions about how to improve the overall security of the software. "The one real flaw in the programming logic has been fixed," said Louis Suarez-Potts, an OpenOffice.org community manager. "The others are theoretical.""

"theoretical"

[dmiller]

It is disappointing to see a free software project dismissing threats as "theoretical". Today's "theoretical" vulnerabilities are tomorrow's exploits. Worse, the article hints that these threats are fundamental design flaws - the developers should be working to fix these and not issuing PR speak to cover them.

Re:"theoretical"

[morgan_greywolf]

The PDF presentation that the group gave was en Français, but I got the gist. I'd post a translation, but my French is a little rusty. ;) Anyway, they seem to be saying that because OOo doesn't support authentication certificates for documents or macros, and because OOo has an API that allows you to program in several different languages (Python, VBScript, Perl, C++, etc.) and that OOo has no solid verifiable security model, that the suite is fundamentally insecure.

I can see where some of this gets dismissed as "theoretical" -- for instance, while OOo has such an API, this isn't any more secure or insecure than the fact that other applications, like MySQL, for instance, have a similarly flexible API. Ditto for Microsoft Office or any operating system.

The information on authentication certificates seems a little outdated -- OOo 2.0 supports digital signatures for documents and macros and even security settings that prevent macros from being run that are not signed. I think that as for a solid, verifiable security model, OOo 2.0 seems to have one based on digital signatures.

Re:"theoretical"

[Red Alastor]

I speak French, let me translate.

1. "Official" MS Office competitor.
2. Share of the market rising.
3. Cheap but...
4. What about the real security of OpenOffice ?
5. Viral analysis by proof of concept
6. Numerous integrated programming languages : script shell, VBScript, Python, Perl, Asp, Java.
7. Rich macro developing.
8. Numerous existing hijackable execution points
9. No protection mecanism for macros
10. zip format is makes virus penetration easy.
11. Macro security is easy to bypass. "Trusted" folders are defined. Any macro placed in those folders is by definition, trusted.
12. Document signature do not really consider macros. Bypassing possibilities
13. Macros can be linked to events or services.
14. Other mechanisms : macro chaining, hypertext links, inter-application execution, OLE
15. Many mechanisms are usable for an infection
16. All known viral techniques known for Microsoft Office can be translated under OpenOffice.org
17. Every kind of infection is doable. (Infection and auto-reproduction)
18. Globaly, OpenOffice's suite is a bigger infection risk than Microsoft's suite.
19. No real security concepts.
20. Many functional viral roots were made as proof-of-concept
21. Infection successful no matter the security setting of the user.
22. Some senarii can act without alerting the user in any way (scenarii is a stupid plural in French too but they used it in the original)

Then they go on to explain (still in powerpoint bullets) that they managed to write a macro that sends an e-mail with an attached file which then executed C code which modified dicOOo.

And they conclude that infection risk under OOo is MAXIMAL and its use should be discouraged for security reasons.

Re:"theoretical"

[Red Alastor]

I'm replying to my own post but the other was the translation and this is what I think of it. I think it's bullshit.

Point number 10, what the fuck ? zip is just a comression format. Point number 11, trusted folders are defined by YOU. So most people don't even have them. But if it's convenient to you to define a folder where all macros are trusted how is it different from accepting every macro while you open the document ? It must be quite convenient for developers who want to test their macros. Most other points ? Way too vague to mean anything. Beside, if the danger for an office suite which isn't really attacked right now is "maximal", how should be classify MS Office ?

And their famous proof-of-concept... they won't even tell us how they got it to run. My guess is that they defined a trusted folder and put it in.

Until they reveal that, this document is worthless. Like that other proof-of-concept from I don't remember which AV vendor. Their macro (if you accepted it) would download a porn picture from the net and put it in the document. I guess it's much more dangerous than sending documents with the picture already in.

Re:"theoretical"

[Anonymous Coward]

No, no, no... if you can unzip faster, you can penetrate faster. And if you happen to have a virus...

Re:"theoretical"

[Red Alastor]

I took this crap in the original document. Scenarii is as stupid in French as virii is in English so I left it intact.

Re:"theoretical"

[mpe]

Do you sit around trying to see who can come up with the most idiotic perversion of the English language, or are you really that stupid?

Given the origin of the document the language being perverted is more likely to be French.

Re:"theoretical"

[jez9999]

At least it's not as bad as US perversions of the language. 'Burglarize', anyone?

Re:"theoretical"

[boule75]

Guys. Last time I was taught about this, this came right down from the Latin language... In French, the singular is "scénario", and the plural may be "scénarios" (common) or "scénarii" (rare, direct from the Latin). Note the funny accent on the "E" which is no Latin sprach whatsoever !-)

Anyway, no need to boast any moral superiority there.

Re:"theoretical"

[Red Alastor]

Guys. Last time I was taught about this, this came right down from the Latin language... In French, the singular is "scénario", and the plural may be "scénarios" (common) or "scénarii" (rare, direct from the Latin). Note the funny accent on the "E" which is no Latin sprach whatsoever !-)

That would make it the only French word that ends in "ii". French is my main language and even though scenarii is used in France (fortunately, I'm not living there), it's bad French. And it sounds awful.

Re:"theoretical"

[colmore]

Someone needs to explain this to me. Why do office suites need these features? For what are they used? I've never worked in a big office that actually uses the macro and scripting features of productivity software.

Can intra-office communication not be done via RTF? Why do we need document formats that rival PDF and layout-software fileformats in complexity?

It seems like you could avoid all of this using a smaller array of utilities and custom scripts for office productivity, it just strikes me as impossible to create a scriptable, monolithic, document engine that won't have some sort of security hole on some platform. It seems like a cluster of smaller, more agile tools is the way to go.

Re:"theoretical"

[TheRaven64]

I've never worked in a big office that actually uses the macro and scripting features of productivity software.

I worked for a little while for a (very large) organisation that made heavy use of scripting in Office. Every single type of document had an official corporate style. It had a (scripted) wizard that went through and added the sections you want, automatically filled in various bits of it, etc. After five minutes with the wizard you would have a multi-page skeleton document which would then just need text adding.

If I had been implementing the system from scratch, I would have made it intranet-based, with a TeX backend for generating PDFs, but they had an enormous amount invested in the it, and a team working on updating and fixing the templates. It was sometimes a problem ensuring that you had the right version installed (which is why I would go for a client-server model), but even that could probably be fixed by scripting (simply have the wizard check it was the latest version and fetch / install it if now).

Re:"theoretical"

[swillden]

If I had been implementing the system from scratch, I would have made it intranet-based, with a TeX backend for generating PDFs

If I'd been building it, for use with OOo, I'd have given it a backend that generated the OpenDocument data without using any macros within the application. The great thing about having a fully documented, open format like OpenDocument is that you can easily generate and manipulate documents with any tool that's convenient.

Of course, the same is true of TeX, but if you generate OpenDocument format, then you can use OOo to edit and maintain it. In most environments the users are more likely to be comfortable with that than with TeX.

I think the openness of the format actually eliminates many of the reasons that macros are so important in the Microsoft Office world.

Re:"theoretical"

[owlstead]

Simply said, people don't like to start up 2 programs just to create one text document. And writing a complete GUI for this is not productive. There is no shame in using templates and/or macros for this. As long as the macro system is restricted to the document, there is no reason not to use macro's. If you need more, there is no problem in using some plugin either. This whole "scripting is bad" is just a problem because they created too big a sandbox.

Re:"theoretical"

[swillden]

Have you ever actually generated any OpenDocuments? A bit of code to generate some custom XML, plus an XSLT stylesheet to convert it makes it *extremely* easy to build them. More powerful, flexible, extensible and often quite a bit simpler than using macros. Oh, and no security problems at all. It's a Better Way.

Re:"theoretical"

[imroy]

I can't understand why office suites and their formats need macros, at least when they're embedded in the document. I think it's quite simple: don't mix data and code. If you need macros/scripts/whatever, put them into another file (and format) separate from the document. That way it's easier to sort out which is which e.g email filters.

Re:"theoretical"

[Planesdragon]

I think it's quite simple: don't mix data and code.

Data and code are fundamentally linked. You can put an artificial barrier between them, but that doesn't do much if you lose functionality by doing so.

Let's say that I've got an Excel Sheet (I do) that needs to call a custom function that Excel doesn't ship with (I do, as well). While it would, in theory, be possible to move that code to a seperate macro in a "code" file somewhere, I'd still have to find a way to let anyone who opens my document get at th

Re:"theoretical"

[imroy]

Hmm, I guess I wasn't talking about simple functions when I said "don't mix data and code". They should be OK. The problem comes with the stuff that allows applications to be written, and especially with the ability of "hooking" into internal functionality of the office program. That's where you get self-replicating worms happening. I still think that sort of stuff should be external to the office program and file format. The thing is that MS makes Visual Basic and then uses "Visual Basic for Applications"

Re:"theoretical"

[GodWasAnAlien]

Yes, if the macro can modify, edit, or destroy _this_ document, then someone can send you whatever corrupt documents they wish. They could not set global settings, or operate outside the document. No problem, really.

If a macro lets you write documents that can change other documents, your system, or the outside internet, the the program is as broken as ms office.

intra-office communication via RTF doesn't help

[beh]

Can intra-office communication not be done via RTF?

It easily could - but that's beside the point. THe fact that you can run "virus-free" software on Windows does not preclude you from (inadvertently) running something virus-infected.

You may do all your company internal documents in RTF even in MS Office - but if one of the company secretaries opens up a document sent by an outside source (maybe a seemingly legitimate one), which DOES contain a virus, your system's security is still screwed. Your RTFs might

Re:"theoretical"

[cyber-vandal]

I have and do. I wish people would stop saying "I don't use it so it must be pointless"; macros are very useful and save me a lot of time. Excel doesn't come with the be all and end all of functions; sometimes a user-defined one is necessary. Word doesn't allow for every possible permutation; sometimes a little program is needed. Custom scripts would be good too, I hate having to load Word to generate a document, but when the document is already open and being edited a macro makes more sense than an externa

Re:"theoretical"

[jimicus]

Someone needs to explain this to me. Why do office suites need these features? For what are they used? I've never worked in a big office that actually uses the macro and scripting features of productivity software.

What generally happens is this (and I'd expect it to be much the same for most of Office's macro features):

Department A perceives a need for a complicated spreadsheet or a small database. It's not really complicated enough to go through the "pass it up the line and set up a project in conjunction

Re:"theoretical"

[cnelzie]

The "IT" Department of that company isn't doing it's job.

    Fred shouldn't be capable of installing any software to create a database on any computer within his department.

    At best, Fred could create an Excel Spreadsheet. Depenending upon the amount of data going into the file, the IT Department would probably hear about it sooner or later, as Excel simply cannot hold that much information without getting really wonky.

Re:"theoretical"

[jimicus]

Fred doesn't need to be capable of installing any software. It's already installed; it's called "Access".

And trust me, by the time the IT department hears about it it's probably already taken a strong foothold.

Re:"theoretical"

[0racle]

"It's only a theory."

Re:"theoretical"

[Sikmaz]

The sentence above that also says:
""This suite is up to now still vulnerable to many potential malware attacks," they wrote. The OpenOffice.org team has already fixed a software bug discovered by the researchers, and the two groups are in discussions about how to improve the overall security of the software."

So the important issue was fixed and now they are discussing how to improve security overall, it sounds to me like they handled it perfectly.

Re:"theoretical"

[Marcion]

It seems to be OpenOffice on Windows. I have 64bit Linux, behind an Selinux hardened firewall - nothing is able to exploit office software from over the network. I send out documents in PDF format. People likewise send me docs in PDF or text (or Word arrr). If I was sent an ODF then I would probably open it with Abiword, is the macro going to exploit that, what about Koffice?

Not being part of the software monoculture has enough security benefits that I doubt it would ever pay to attack us when there are eno

Re:"theoretical"

[mspohr]

TFA said they were working to fix them in cooperation with French security experts. They were not "dismissed" but rather they have started to patch them.

Re:"theoretical"

[imroy]

From that "presentation":

...amazing it works on linux (as usual, by luck)

What ever made people think the OpenBSD guys are a bunch of arrogant fucks?

Re:"theoretical"

[dmiller]

You are displaying your ignorance (or are just trolling) - porting software exposes bugs. Most frequently these bugs are precisely things that work "by luck" on the platform on which the software originally ran because they depend on false assumptions. As the software is ported to another platform, the false assumptions are made visible. This applies doubly to something like OpenBSD, which goes out of its way to make bad assumptions visible, particulaly those related to memory management [openbsd.org]

Re:"theoretical"

[imroy]

Ok, porting frequently exposes bugs. I'm a programmer and undertand that. Except that OpenOffice.org already exists on several platforms. And StarOffice [wikipedia.org] has been around since 1994 on various Unix platforms. What I was referring to was that there seems to be a group of BSD users who resent the popularity and success of Linux and try to put it down at every available opportunity. I saw that comment as the product of this childish anti-Linux attitude.

Re:"theoretical"

[baadger]

That may well explain why Gentoo, a *source distro*, hasn't got anything but a binary package of Open Office. Apparently it's hell to compile.

Re:"theoretical"

[Dan Ost]

You're misinformed. Gentoo has both a source ebuild (app-office/openoffice) and
a binary ebuild (app-office/openoffice-bin).

I use the source version myself (takes several hours to compile).

Re:"theoretical"

[baadger]

Ah, that'd be because it's keyworded "-amd64". Doesn't build as 64 bit at all :|

Thats a cool thing with open source

[CrazyJim1]

If someone finds a bug or flaw, it doesn't take someone else very long to fix it. Now when it comes to corporations, they have to wait to bill you for the next release, and you pay it too because the fix of bugs alone justifies buying the new version.

Re:Thats a cool thing with open source

[daniil]

The cool thing about corporations is that it takes them longer to produce new bugs and set them loose in the wild.

The problem with Open Office

[theshowmecanuck]

... is that when they do have a security 'fix', they force you to update by downloading the entire suite... they don't have differential patches. I personally get sick and tired of having to download around 100 MBytes of app, uninstall the original, and re-install the new. Granted on my Linux box the package updater will do all three, but the updater takes forever to download the files. Quite frankly it is a pain in the ass. Sometimes I delay installing an update because of it (sometimes quite a while).

Re:The problem with Open Office

[penix1]

"The problem you highlight, is a problem with all Linux distros that I've tried. No distro seems to provide proper patch level dependency checking or provides incremental patch files."

Then you haven't done Gentoo. Even big programs like Xorg, KDE, KOffice, etc. are done now in meta form allowing an update to one part without doing it all. I eventually see programs like Ooo going that route in Gentoo as well. Any other dependancy change is handled by revdep-rebuild. All-in-all, Gentoo is a fine distro for th

Nebulous terms don't help

[penix1]

"Much as I enjoy watching gcc messages fly past, that is not a credible solution in an enterprise environment."

Ok, I'm going to call you on this...

Just exactly how do you define "enterprise environment"? If by "enterprise environment" you are talking server farms, gentoo is already on quite a few. If you are talking desktops, again, it is on quite a few and can be installed (if that is a measure) in under 20 minutes (GRP).

I installed Gentoo in 2000. That was the first time as well as the last time I install

Re:Thats a cool thing with open source

[nwbvt]

I've seen plenty of security bugs in open source code that don't get updated right away. Open source is not all that different from closed source software in this sense. While it certainly is fun to pretend open source is perfect and is in every way better than commercial software, that simply is not true.

Re:Thats a cool thing with open source

[Pharmboy]

On the server side, critical security bugs are fixed on average of one to 3 days in Linux. Be it a kernel issue, sshd, apache, bind, vsftpd/proftpd, sendmail or any other widely used daemon.

Minor programs not as fast but still faster than MS and the main programs that offer the greatest possibility for root exploits have always been fixed in just a day or two. I welcome any example where it took 4 weeks for a fix for a main package.

I don't think Linux is safer because I use it on my servers, I use it on m

Re:Thats a cool thing with open source

[nwbvt]

"I welcome any example where it took 4 weeks for a fix for a main package."

Well offhand, here is one [sourceforge.net] opened 3 years ago which still hasn't been fixed, though it would be difficult to exploit. Basically what happens is that that a machine with trust level 4 (the default is 3, so again this would be difficult to exploit) to gain level 5 access (meaning they can run arbitrary commands on computer running the service. No, STAF/STAX is not as big as Linux (which is why I was talking about open source in gen

Re:Thats a cool thing with open source

[Penguin]

Yeah, open source is great. I'm so happy that after a year nobody responded to my Firefox bug report marked as security related issue. After a year I suppose someone got a notification email and re-wrote the summary, but it is still marked as "NEW". This bug is over a year old, no way it could be regarded "NEW". It should be "FIXED" or at least "INVALID" (or "GET A LIFE, MORON"). Currently it is assigned to "Nobody's working on this, feel free to take it". Yay, the power of open source.

I'm sorry that you pu

Re:Thats a cool thing with open source

[mcrbids]

But happy-go-lucky progress just doesn't cut it for security efforts. BIND is open source as well, but its security track record has been awful, especially by comparsion of the simplicity of a DNS server versus web servers (or any other kind of application)

Perhaps a bit ironic that you mention BIND. It's been quite a while since there's been a big security problem in BIND, and is currently the driving force in the largest security update to the DNS protocol in, like, decades - DNSSEC.

Yes, the BIND sources w

Re:Thats a cool thing with open source

[westlake]

Thats a cool thing with open source...If someone finds a bug or flaw, it doesn't take someone else very long to fix it. Now when it comes to corporations, they have to wait to bill you for the next release, and you pay it too because the fix of bugs alone justifies buying the new version.

Last I heard, Sun was still providing the money, manpower, leadership, and material resources going into the development of OpenOffice.org. That contributions from outsiders were trivial, given the scale and complexity of

Re:Thats a cool thing with open source

[TheRaven64]

contributions from outsiders were trivial, given the scale and complexity of the project.

Sun does about 80% of the work on OpenOffice.org. This is a significant majority, but I would hardly classify 20% a trivial. The second largest contributor is Novell. Since they have OpenOffice.org deployed on every single one of their employees machines, they do a lot of work fixing dogfood bugs.

Re:Thats a cool thing with open source

[DrXym]

If someone finds a bug or flaw, it doesn't take someone else very long to fix it. Now when it comes to corporations, they have to wait to bill you for the next release, and you pay it too because the fix of bugs alone justifies buying the new version.

The problem with Open Office is that someone could check the fix in tonight but you wouldn't necessarily see a 2.04 until whenever they felt like releasing it which could be months or more. So really it's irrelevant in that situation that you're dealing with

Re:Thats a cool thing with open source

[abigsmurf]

However patching suffers from the same problem of virus scanners in that it's usually reactionary, they only patch bugs after they're known.

A smart hacker will find an exploit, not reveal it to anyone and only use it on select targets. It could be a long time before this exploit is noticed and fixed. One of the flaws of OSS is that a hacker can find flaws that haven't been fixed in a much easier way because the source is in front of him.

Re:Thats a cool thing with open source

[Pharmboy]

Or they issue a hotfix that's automatically downloaded and installed.

You forgot to add " but often breaks some other piece of software."

Let me think...

[DumbSwede]

which should I use, hmmmm...
Microsoft's Office Suite IS being attacked.
OpenOffice could, possibly, theorectically, be attacked.

Re:Let me think...

[daniil]

If you have to choose between the state of war and the state of constant fear, then you cannot possibly lose, can you?

Re:Let me think...

[Deliveranc3]

Sad truth, which will cost more to use next month...
Already installed vs has to be installed.

Re:Let me think...

[Jim_Callahan]

So you're saying that your preferred product has better security as a result of its relative obscurity... don't we have a saying about that somewhere?

Many eyes at work. Sounds like a + not -

[MCRocker]

This sounds like a strength of the open source model. Many eyes can include security auditors too. The weaknesses get reported and fixed.

The closed source model doesn't offer the same level of opportunity to find flaws. Even when people do find flaws in closed source products the publishers are as likely to bury the report, deny the flaw it exists or use DMCA to sue the people who disclose the problems.

Chalk this up as a win for the open source model... at least for large high visibility projects like Open Office.

Re:Many eyes at work. Sounds like a + not -

[kz45]

"This sounds like a strength of the open source model. Many eyes can include security auditors too. The weaknesses get reported and fixed."

This seems to be the call of the open source zealout, but it is not reality. 99% of the people using Open Office are users. The other 1% contain people that might have the ability to look at it, but may not have the time or patience.

I have been involved with many open source projects over the past couple of years and it usually ends up like this:

1) someone emails a bug

Re:Many eyes at work. Sounds like a + not -

[electroniceric]

"This sounds like a strength of the open source model. Many eyes can include security auditors too. The weaknesses get reported and fixed."

This seems to be the call of the open source zealout, but it is not reality. 99% of the people using Open Office are users. The other 1% contain people that might have the ability to look at it, but may not have the time or patience.

While I agree that the attitude that open source fixes all vulnerabilities is blasee, your statement is also a bit too broad. Secure proje

Re:Many eyes at work. Sounds like a + not -

[someone300]

Well, considering that a higher proportion of the users of OSS will contribute fixes and bug reports than the equivelant for proprietary software, it doesn't matter as much if fewer of the main programming team are always available. Also, companies that are worried can fix security threats internally and submit the changes back. I'm not a major OSS developer but I've contributed many bug reports to GNOME and some to the linux kernel, and they've all been fixed. I have submitted some usability improvements i

Re:Many eyes at work. Sounds like a + not -

[MCRocker]

"This sounds like a strength of the open source model. Many eyes can include security auditors too. The weaknesses get reported and fixed."

This seems to be the call of the open source zealout, but it is not reality. 99% of the people using Open Office are users. The other 1% contain people that might have the ability to look at it, but may not have the time or patience.

Right... as compared to closed source, where 0% have the capability of auditing the source code.

Of course, things aren't as black and white

Re:Many eyes at work. Sounds like a + not -

[DrXym]

The problem with OpenOffice is that its a massive project (120000+ files) and incredibly daunting to build with many inter-dependencies on non-trivial 3rd party packages. How many eyeballs actually look at the code, and can you say for sure that it is any more than for MS Office?

Now don't get me wrong. I *only* use OO for home use (MSO is required for office work), but it would be incredibly bad assumption that OO has less exploits than MSO. It's simply that the bad guys have bigger fish to fry. OO is a t

The Bad News Is...

[RobotRunAmok]

...that OpenOffice has security flaws.

The Good News is that in the time it takes the suite to open and load an infected document the malicious hacker has been captured by the FBI, brought to trial, convicted, and a patch made available.

Re:The Bad News Is...

[miro f]

actually since I found the OpenOffice.org quickstarter (hidden in the preferences under memory) I never went back. Loading times have decreased a lot (sometimes it even loads instantaneously). Sure it takes more memory while my system is idle but I've never run out before...

Re:The Reality Is...

[Anonymous MadCoe]

That office suites alwais will have security flaws as long as they are feature driven (which is what the current user seems to like). Almost any piece of software that is driven by features and functionality becomes unreliable and insecury in time.

Can we stop complaining about MS Office now? Can we all get back to reality and go to work?

What makes them think MS Office isn't vulnerable?

[foreverdisillusioned]

I'm assuming that the vast majority of these alleged vulnerabilities came about as a result of them examining the source code. Since Microsoft Office is closed source, it may have just as many potential exploits or more. The difference is OO.o's vulnerabilities are known and thus can be guarded against or even patched by a third party. MS Office's potential exploits are unknown and thus may be released as zero-day exploits, and even when they are known we're at the mercy of MS to release a timely and effective patch.

I fail to see how this is a black mark against OpenOffice.org.

Re:What makes them think MS Office isn't vulnerabl

[NihilEst]

I fail to see how this is a black mark against OpenOffice.org.

I don't either. But you know that if MS (or its shills) can make it appear so, they will.

The goal isn't to be better, it's to be good

[tfried]

I fail to see how this is a black mark against OpenOffice.org

I don't think that's (neccessarily) the point. Whatever MS does about their Office security flaws does not really concern me any longer. There's almost nothing that could ever make me use MS Office again. But so what. The point isn't which suite is better, the point is: OpenOffice.org still has flaws, and those should be fixed. In this context the statement "The [other flaws] are theoretical" does not make me feel good. I want even theoretical

Re:What makes them think MS Office isn't vulnerabl

[miro f]

I suppose you can guard against it, in the sense of "never open a document from anybody you don't trust". Of course, if that advice were offered as a solution to similar problems with a MSFT product, the person offering it would rightly be laughed out of the room.

Funny, I've heard that advice many times and never any laughing. This is the kind of advice you follow for everything when working in windows. Don't open a document from someone you don't trust, don't go to a website you don't trust, don't open an

Re:What makes them think MS Office isn't vulnerabl

[miro f]

If so, you are either an incredible exception or an outight liar. In fact, I'll bet you open documents (PDFs, images, movies) from untrusted sources regularly today.

of course I have. I do this at my own risk. Yes the risk is low, but there (rememer the WMF exploit doing the rounds). Let's not mention all the picture.jpeg.exe files. Obviously if you know something about computers most of these problems can be easily avoided, but for many it's difficult. As for word documents, I have never opened one from an

MMKay.. Interesting, but..

[wwiiol_toofless]

OpenOffice.org is FREE! FREE I tell you! Given the choice between a known-to-be-vulnerable $200 suite and a hypothetically-vulnerable Freeware suite, I'll take the latter. The day I discovered OO still ranks in the top 10 of my favorite computing moments of my life.

Top 10

[neonprimetime]

The day I discovered OO still ranks in the top 10 of my favorite computing moments of my life.

1. Day I discovered OO
2. Day I discovered Knoppix
3. Day I discovered Debian
4. Day I got streaming audio to work on Linux
5. Day I discovered what buffer overflows were
6. Day I discovered Opera (sweet! an alternative to IE)
7. Day I discovered Perl
8. Day I discovered Python
9. Day I discovered LAN parties
10. Day I discovered the Holy Handgrenade of Antioch in Worms

OO.org is vulnerable

[Elektroschock]

True. Guess the same applies to Abiword. But who will write an Abiword worm?

leaked MS Expense Report

[Gothmolly]

From: sballmer@microsoft.com
To: accounting@microsoft.com

Attached find my receipts for the recent meetings I had with the French Ministry of Defense:

First class plane ticket to Paris: 2100 USD
Swank hotel in Paris: 1800 USD
Dinner for 2 at a spiffy restaurant: 800 USD
Hookers and blow for MoD officials: 5000 USD

Business Justification For Expense: I believe that we will sell ONE MILLION copies of Office to the French MoD.

--Steve

PS If you get a bill from the hotel about a broken chair, it was like that when I got the room, so I don't think we should pay it. Bill said it would be OK.

Re:leaked MS Expense Report

[winkydink]

First class from SEA-CDG is closer to $10k.

I thought this was a MasterCard ad ...

[shis-ka-bob]

Sucessful FUD attack against an emerging competitor ... priceless

Gentle Reminder About the Ministry

[mpapet]

This is the MINISTRY OF DEFENSE where draconian access control and accounting should be routine.

It's very difficult to go from that environment back to the real world where security is measured by successfully implementing long passwords in a company.

Making the inductive(?) leap that OpenOffice.org is insecure is a really long leap of faith. Are there holes? Probably.

In many ways, this is good news because the open source application is being picked over with a fine tooth comb by a large ministry.

Bring it on!

The imporant news here

[andreMA]

... is that France has a Ministry of Defense.

Re:The imporant news here

[Harmonious Botch]

I disagree. The important news is that they have finally overestimated a threat.

Re:The imporant news here

[Guppy06]

They've done it before, though. Consider the Rainbow Warrior.

Re:The imporant news here

[boule75]

Well, we are happy not to have a "war [happy] president".

Well, frogs joke with the Belgians, I begin to get along with French jokes in the US. If only the related matters were not so deadly serious...

Re:Sick of this racist /meme

[Joey7F]

Of course it is. Israel is no longer protected. The real question is, is it acceptable to make fun of their neighbors who wish its destruction. Just thought I would add, the French are not a race. Believe me, take a trip through Paris and you will wonder if you are in Europe. I was the only white (read: person of Western European ancestry) person in Gare Du Nord at midnite a few months back.

--Joey

Re:The imporant news here

[DataCannibal]

Can't you keep up with the Republican kneejerk dance ?

The French are now goodies, on your side: they're helping out Condi with sorting out the mess in Lebanon and French Fries are back on the menu in the canteen on Capitol hill.

Insecure by association?

[quantaman]

My understanding is that a lot of the security problems in MS Office comes from bad design wrt things like macros which make it very hard to secure the system. If OpenOffice is working towards compatibility with MS Office they may be having to deal with the same types of security issues in trying to secure bad macros and such. Thus it makes sense that OpenOffice would be just as, or even more, insecure than OpenOffice, not only do they have many of the same classes of exploits, but they also have greater pressure to rush these features out (for compatibility reasons) and up till now haven't had the motivation of attackers actively exploiting them to force them to spend the necessary time on security.

OPDs and Latex

[MarkWatson]

Well, be careful of Other People's Documents (OPDs)!

I always turn off any live macro support in OpenOffice.org and Microsoft Word, and hope that is good enough security. I also tend to open Word .doc files I receive from other people in OpenOffice.org.

A little off topic, but I have been blogging about this lately: whether I am writing up short project documents or working on a for-fun book project (Ruby AI Programming), I find that just using Latex is much more productive for me. One reason is just seeing r

Re:OPDs and Latex

[iabervon]

The main problem with LaTeX is that, if you use it for much of anything, you'll never have the patience to deal with a word processor again, and will therefore be unable to work with businesspeople on documents. And you'll be forever annoyed by the minor formatting flaws in everybody else's documents, like when paragraphs spanning page breaks have a single line on one of the pages.

Re:OPDs and Latex

[MarkWatson]

Too late - I am already spoiled by Latex.

I tried to get the publisher of my last book to accept Latex, but they said no.

Re:OPDs and Latex

[whitehatlurker]

This is interesting in that the slide show referenced by TFA was produced with LaTeX and dvips - on the 4 of June, 2006. News for nerds is a bit behind ...

CVE-2006-2198

[tetromino]

I think that the flaw they are talking about is CVE-2006-2198 [mitre.org], which was fixed in OOo-2.0.3. It was pretty nasty, executes arbitray macro without alerting or prompting the user. However, given that the mistake was already found and fixed, what else does the French Ministry of Defence have to complain about?

Re:CVE-2006-2198

[truthsearch]

I submitted this story to /. a month ago and it was rejected. Back then the MoD stated they were already working with the OpenOffice.org developers to have the appropriate changes made. Apparently it's been completed within the last one or two months. This is old news (by internet standards).

Microsoft or Sun?

[Rudolf]

From the summary: ...vulnerabilities with open source office suite OpenOffice.org may rival those of Microsoft's version

Microsoft has a version of OpenOffice? Isn't OpenOffice's closed version StarOffice, which is owned by Sun, not MS?

The actual problem is DicOOo

[Animats]

Here's the attack:

Installation d'une fonction offensive C dans la macro DicOOo.
La fonction C est exécutée à l'installation de DicOOo.

"DicOOo" is an installer for dictionaries into OpenOffice. Unfortunately, it seems to have too much power, and can be replaced or induced to install other things. This is an add-on to OpenOffice, and apparently an unsafe one.

Maybe we need to take a step back...

[Harker]

a decade or more, at least.

How about we stop writing word processors and spreadsheets that are capable of running code (other than its own)?

I remember back when I was big on a certain usenet news group, we had a discussion about an email virus. The claim was, when you opened the email (don't recall the name off hand), it would do all sorts of nasty things to your computer, and possibly to your girlfriend/wife/sister/etc. The entire thing was a hoax that preyed on ignorant computer users, and urged them to spread the word.

My argument at the time was basically that an email client could not, or should not execute the text within the email itself, and any client that did, shouldn't be used.

Now I use Outlook on a daily basis, and guess what?

So, let's take a step back to simpler, less efficient applications. Get rid of what causes the vulnerabilities in the first place.

Now where did this box come from?

H.

Re:Maybe we need to take a step back...

[whitehatlurker]

The claim was, when you opened the email (don't recall the name off hand), it would do all sorts of nasty things to your computer,

That would be the Good Times [ciac.org] virus. (Warning: don't click on that ... ooooh too late.)

Re:Maybe we need to take a step back...

[Harker]

Yup, that's the one.

H.

Alternatives

[Doc Ruby]

How secure is MS software that responds to vulnerability discoveries by ignoring them or lying about them, fixing them after months or even several versions (years) later? Because users have to rely on MS to fix them.

Compared to OO.o, which anyone can fix, even the French government itself, but which does fix bugs quickly.

The only problem with open office is

[popsicle67]

It doesn't have a sales staff that can kiss a ministers ass.

8 steps to improve oo.org security

[paj1234]

1) Click Tools menu.
2) Click Options.
3) On the left side, click the Security category.
4) Under "OpenOffice.org Basic Script", set "Run macro" to "Never".
5) Under "Hyperlinks", set "Open hyperlinks" to "Never".
6) Under "Java", untick "Enable".
7) Under "Enable", untick "Plug-ins" and untick "Applets".
8) Click OK.

OpenOffice.org will now be configured for best security. Some functionality will not be available. Depending upon your system, you may need to repeat these steps for each user account.

Just Turn Macros Off

[xdxfp]

Why does MS Office have all these fancy features that only a few people use, yet they open up a world of vulnerabilities? I use MS Excel to write a spreadsheet with some basic formulas, and MS Word to write documents that I could just have easily written in WordPad (minus the spell check). Turn off macros by default, and have a generic "you're running a macro and this is unsafe" popup (which I beleive they already do). If the user clicks yes unwittingly, then they're probably too stupid to read the dialog asking them about the signature, and they're screwed anyhow.

Re:Which Open Office?

[jtev]

What, The, Fuck? It's only a Microsoft App if Microsoft develops it. There may be a few bugs inherent in the operating system, but that is true with all operating systems. You cannot blame Microsoft for any bug that is not inherent in a product or API they developed. That'd be like blaming Linus for bugs in some newbie's "Hello World!" program. The bugs in firefox you're talking about were an API bug. But, nobody wants to write their own API to do every single function in a program. Especialy when th

Theoretical means

[einhverfr]

problem spots you ought to address. These may be areas that need some additional checking etc. but they are not yet practical exploits. They may however be whole classes of exploits in the future.

One can never get rid of all theoretical exploits. What one can do is prevent them from being practical to exploit in general by adding additional checks and countermeasures.

Re:What a productive attitude

[shis-ka-bob]

I almost completely agree with you - but I still like some of the 'funny' posts, cheap shots can still be fun;-) More productively, this incident should be part of a larger story about how open source works better than closed source. A government agency does a serious investigation (using the open source) and finds one explitable flaw and outlines other possible, as yet unrealized, attacks (hence 'theoretical'). The actual attack is fixed and the theoretical attacks are being investgated by the developer

Re:Office's APIs

[AJWM]

Otherwise, I really don't see the point of these APIs.

You're not viewing it from the right perspective. You're looking at it like a non-MSFT developer, or any otherwise sane individual. You have to look at it from Microsoft's perspective, and then it becomes obvious: the point is to sell more Microsoft software.

Libraries should be pulled, if anything... and those libraries should be distributable with whatever is developed with them

Not the Microsoft Way. If the (potential) users of this app need the lib