Linked by Thom Holwerda on Tue 15th Aug 2006 18:12 UTC
Features, Office OpenOffice.org has hit back at claims that the alternative office applications suite is riddled with security holes. Researchers at the French Ministry of Defense say that OpenOffice is subject to security weaknesses that make it at least as susceptible to computer viruses as the commercial, more widely used, Microsoft Office.
Order by: Score:
friggin obvious
by SlackerJack on Tue 15th Aug 2006 19:02 UTC
SlackerJack
Member since:
2005-11-12

Openoffice gets features which people have been asking for and now they say it's got security flaws?. Give me a break,this is just junk talk.

So how can OO.o get features MSoffice have without virus threats, see where i'm going here?. Any dumb idiot can say .doc format is a security risk from virus and because OO.o supports that format so is it, I mean WTF!

Reply Score: 2

RE: friggin obvious
by ma_d on Tue 15th Aug 2006 19:10 UTC in reply to "friggin obvious"
ma_d Member since:
2005-06-29

Woh now, slow down there. Most of the worst security flaws haven't been design errors but implementation errors, and that's why they can be fixed without major disruption, usually. However, there may be design errors making it more difficult to keep things secure.

Also, .doc has historically been a binary format because it's quick and easy to save and restore data this way: Meaning there's not a lot of checking going on. OOo is written to work on multiple platforms and it's in a different language: That means they're processing those binary formats which means they should be validating them (not that Microsoft isn't validating them these days).

But I still hold to the opinion that there's only one application on MS Office where security is a prime concern: Outlook. If you're opening Word documents from completely untrusted sources then you deserve a virus ;) .

And if you're publishing Word documents no one should be reading what you've published either...

Reply Score: 2

RE[2]: friggin obvious
by DrillSgt on Tue 15th Aug 2006 21:19 UTC in reply to "RE: friggin obvious"
DrillSgt Member since:
2005-12-02

"And if you're publishing Word documents no one should be reading what you've published either..."

Yep, that's right. You wouldn't want your customers to be able to communicate with you now, that might be good for business ;)

Yeah, I know..a little smart comment there, but unfortunately true. Most use MS Office since it is the accepted business standard, like it or not.

As for security flaws, MS Outlook is very secure, it is the users that insist on clicking "OK" to allow things to run that are the security problem, not the application. Outlook does not even allow attachments by default anymore without registry hacks, and it most certainly does not automatically run any scripts. Do not confuse Outlook and Outlook express...2 different products.

Reply Score: 3

RE[3]: friggin obvious
by ma_d on Tue 15th Aug 2006 21:48 UTC in reply to "RE[2]: friggin obvious"
ma_d Member since:
2005-06-29

It's an editing format, not a publishing format... It's just not made for publishing, it's far too feature rich.

Use it internally all you want, but you shouldn't expect people who don't trust you to open your .doc.

As of Office 12 Microsoft will be providing them a fully working export format: PDF. Before they could have used rich text, or html, or some other format (list postscript).

Reply Score: 3

RE[4]: friggin obvious
by DrillSgt on Tue 15th Aug 2006 22:00 UTC in reply to "RE[3]: friggin obvious"
DrillSgt Member since:
2005-12-02

"It's an editing format, not a publishing format... It's just not made for publishing, it's far too feature rich.

Use it internally all you want, but you shouldn't expect people who don't trust you to open your .doc.

As of Office 12 Microsoft will be providing them a fully working export format: PDF. Before they could have used rich text, or html, or some other format (list postscript)."


In actuality I totally agree. The problem is users do not understand all this. Is the same reason HR Departments request resumes in "Microsoft DOC format". Send one in PDF or any other and the resume will get trashed and never read. Not as bad as it used to be, but it has hurt me in my job hunts before.

Reply Score: 1

RE[4]: friggin obvious
by MattK on Wed 16th Aug 2006 16:13 UTC in reply to "RE[3]: friggin obvious"
MattK Member since:
2005-11-14

I agree. When sending documents to clients, I always prefer to use PDF for several reasons:

1. Read-only format. Don't want clients changing terms of contract, invoice numbers etc.
2. Highly accessible. Works on virtually any system. Readers are free and highly pervasive.
3. Size. PDFs are generally smaller than .Doc
4. No virii worries!!

After all, PDF stands for Portable Document Format!

Reply Score: 1

RE[3]: friggin obvious
by alisonken1 on Tue 15th Aug 2006 23:26 UTC in reply to "RE[2]: friggin obvious"
alisonken1 Member since:
2006-03-20


Yep, that's right. You wouldn't want your customers to be able to communicate with you now, that might be good for business ;)


The only time a word processing document should be emailed is for collaboration. If you're sending something to a customer to just read, you should be sending in a final output format. That's why I prefer to send PDF's to my customers.

Not only that, but PDF is available for all platforms, not just MS platforms.

Reply Score: 1

RE[4]: friggin obvious
by DrillSgt on Tue 15th Aug 2006 23:33 UTC in reply to "RE[3]: friggin obvious"
DrillSgt Member since:
2005-12-02

"The only time a word processing document should be emailed is for collaboration. If you're sending something to a customer to just read, you should be sending in a final output format. That's why I prefer to send PDF's to my customers."

I agree. My point is that management at most companies don't agree, and MS Word Documents ARE the final output format. If that was not the case there would not be big discussions on compatibility of file formats, and it would be a non-issue.

Reply Score: 1

RE[3]: friggin obvious
by unoengborg on Tue 15th Aug 2006 23:28 UTC in reply to "RE[2]: friggin obvious"
unoengborg Member since:
2005-07-06

As for security flaws, MS Outlook is very secure, it is the users that insist on clicking "OK" to allow things to run that are the security problem, not the application.

I beg to differ.

Security in an application is not only about how hard it is to break the code. It is also about how the user interacts with the application, or rather is allowed to interact with it.

To be secure, an application not only need to have secure code, it need also be designed in a way that it doesnt encourage unsafe behavior among its usrs.

If you can click OK to initate dangerous actions some users will do it, either because of lack of knowledge or because of convienience or lazyness in combination with "This will not happen to me" think.

Reply Score: 2

RE[4]: friggin obvious
by DrillSgt on Tue 15th Aug 2006 23:38 UTC in reply to "RE[3]: friggin obvious"
DrillSgt Member since:
2005-12-02

"To be secure, an application not only need to have secure code, it need also be designed in a way that it doesnt encourage unsafe behavior among its usrs."

I agree, but then every email client does that these days. They ask the user what they want to do with the file. So by your definition then almost all email clients are insecure. The only ones I know of that do not are the ones that no longer have a place in the business world, such as Pine and the like. All collaborative ones, which as required by Business, such as Outlook, Evolution, Lotus Notes, etc allow this type of activity. User training is what will increase security, as trying to make idiot proof applications results in smarter idiots that figure out how to break it.

Reply Score: 2

RE[5]: friggin obvious
by Ookaze on Thu 17th Aug 2006 12:22 UTC in reply to "RE[4]: friggin obvious"
Ookaze Member since:
2005-11-14

"To be secure, an application not only need to have secure code, it need also be designed in a way that it doesnt encourage unsafe behavior among its usrs."

I agree, but then every email client does that these days

No, that's completely false.

They ask the user what they want to do with the file

That's just not true at all. I only need to take Evolution to see you're wrong. Get a clue !
Evolution never asks you what to do with a file, it has a default action when you click on it, and allows choice of actions through a drop menu box.

So by your definition then almost all email clients are insecure

No, that's just by your clueless opinion. Most email clients are not so insecure, but Windows is a pretty badly insecure OS, that allows scripts to execute.
Evolution never allowed any script to execute by default.
What you say is just ignorant FUD to try to put Outlook in a better light. Yes Outlook, not even Outlook Express.

The only ones I know of that do not are the ones that no longer have a place in the business world, such as Pine and the like. All collaborative ones, which as required by Business, such as Outlook, Evolution, Lotus Notes, etc allow this type of activity

No, you only know of Pine and Outlook, and extrapolated to say they all are the same.

User training is what will increase security, as trying to make idiot proof applications results in smarter idiots that figure out how to break it

Yes user training will increase security, but that's on the Windows platform you hear people say FOSS is too complicated because it requires some training.
So these people are happy to be ignorant, take it like a good thing, and all this comes from MS marketing making idiots believe Windows is easy.
I'm not saying people are idiots, that's actually Windows people (shills/zealots) that always use this term to describe Windows users, as soon as there is a problem in a MS application. They will never admit Windows or a Windows app is insecure or crap, no, that's always the user who is an idiot.
Sorry to tell you that on Linux, the very same user without training never catch any virus or script in his mail, using Evolution. And no, I never call Linux or FOSS users idiots.

Reply Score: 1

RE[6]: friggin obvious
by DrillSgt on Thu 17th Aug 2006 14:09 UTC in reply to "RE[5]: friggin obvious"
DrillSgt Member since:
2005-12-02

"That's just not true at all. I only need to take Evolution to see you're wrong. Get a clue !
Evolution never asks you what to do with a file, it has a default action when you click on it, and allows choice of actions through a drop menu box."


Just because it is not an "OK" button doesn;t make it any different. I do have a clue thanks, and have used Evolution, quite extensively for a time. Before you flame get an idea. Having a drop down if choices is the same thing, whether you want to admit it or not.

Actually the email clients I use regularaly are Outlook, Evolution, Kmail, Thunderbird, Mozilla, and Pine, as I support all of these. Outlook does not allow scripts to execute without intervention, if it does you have tweaked and broken it, as there are registry hacks that will allow that. You are correct that Linux users do not catch virus from clicking something, however they do run scripts. Just because it has not been done, does not mean it can not. I have written a script that when run will hose a linux machine, all the person has to do is enter the root password. Guess what, people will do it. I know windows and some of it's applications have all kinds of faults, which is the reason I have all the windows machines locked down. I don't even let people install thier own software, I have to do it. Luckily the company is small enough.

And thanks for basically calling me an idiot, since you of course don't call Linux users idiots...although you just did.

Reply Score: 1

RE[4]: friggin obvious
by MattK on Wed 16th Aug 2006 16:17 UTC in reply to "RE[3]: friggin obvious"
MattK Member since:
2005-11-14

Also. Users will get used to clicking 'OK' for every document they open at work. Do you really think most users actually read those warning dialogs? I doubt it very much.

This is the same old MS way of increasing *percieved* security by making the user jump through more hoops. Trust me, those 'security' dialogs will be invisible to 99% of users in no time.

Reply Score: 1

And people wonder why...
by ma_d on Tue 15th Aug 2006 19:06 UTC
ma_d
Member since:
2005-06-29

They shouldn't publish things in these document formats: It's because the documents allow macro's which make them difficult to keep secure, regardless of who is shipping the tool.

Reply Score: 1

Did anybody read the article?
by NotParker on Tue 15th Aug 2006 19:10 UTC
NotParker
Member since:
2006-06-01

Did anybody read the original article?

http://arstechnica.com/news.ars/post/20060718-7288.html

"The classified report follows a one-year study by the Ministry comparing the popular open-source suite to its commercial competitor. During a demonstration for other parts of the French government on July 5, lab director Lt. Col. Eric Filiol showed off some malevolent code the Ministry had developed in order to discover the weak points of both office suites. The researchers found that OpenOffice.org was more susceptible to certain attacks, including those made via macros.

In some instances, malevolent macros were considered to be secure by the open-source package, and as a result, users were not informed when they were executed. This was in contrast to Office, which barrages users with warnings each time a document with macros is opened.

Lt. Col. Filiol notes that the problems are conceptual, rather than due to sloppy coding. "We did not exploit security holes," he said. Filiol thinks that OpenOffice.org's rush to achieve a level of features and functionality comparable to that of Microsoft Office has led it to neglect security issues."


Office 2003 makes it very hard to run macros.

OpenOffice makes it easier.

It has nothing to do with the document format.

Reply Score: 5

Ahem
by Sphinx on Tue 15th Aug 2006 19:51 UTC
Sphinx
Member since:
2005-07-09

I think the majority of security holes these days start out with good intentions as features that are later exploited.

Reply Score: 2

A problem of market share too
by flanque on Tue 15th Aug 2006 21:48 UTC
flanque
Member since:
2005-12-15

If we're talking about unknowing macro execution because the OO.o product doesn't prompt more exhaustively for confirmation, then that's a problem and needs to be addressed.

Aside from that, we have to considor the market share of these products. It's quite possible that the OO.o suite has numerous design issues that open up gaping security holes, but until the share of the market exists to warrant concern about mass "infection" it really isn't that big of an impact, at this stage.

I have to agree with the comment above though. It'd be my experience that the majority of infections and hacks on computers is more due to ignorance of users who find it acceptable to just click on whatever they please without actually being smart about it.

The "i didn't know" time has well and truely passed. There's no excuse for opening every damn attachment or script. It's been made well and truely obvious it's a huge risk.

I think it's time people started to be smart about computing and drop the ignorant, "shucks i'm just hopeless with computers" line.

Reply Score: 1

RE: A problem of market share too
by ma_d on Tue 15th Aug 2006 21:49 UTC in reply to "A problem of market share too"
ma_d Member since:
2005-06-29

Popularity come faster than fixes: They should worry now.

Reply Score: 3

flanque Member since:
2005-12-15

From an engineering point of view I'd concede that they should be investigating the claims in depth. They seem to be at least opening communication lines up with the authors.

However, I really don't think that OO.o is going to rapidly become hugely popular, even over the next two years.

Also keep in mind the product will evolve and wont be tomorrow what it is today.

Reply Score: 1

PcGoober
Member since:
2006-03-03

for closed source software. "Hey, there stuff is just as bad as ours but we make you pay for ours, isn't that better?"

Give me a break.

Reply Score: 1

Havin_it Member since:
2006-03-10

No, it isn't. It is a study conducted by a government body to impartially compare threat levels in the two software suites. It is not an advert.

I'd add that the words you're putting into the closed-source vendor's mouth don't convey the study's findings accurately. How about: "their stuff is *worse* than ours..."? Now that could be called a selling-point.

Reply Score: 1

PDF is safe (maybe) ... the reader isn't!
by NotParker on Wed 16th Aug 2006 19:48 UTC
NotParker
Member since:
2006-06-01

http://www.adobe.com/support/techdocs/321644.html

"Products: Adobe Reader 5.1, 6.0-6.0.3, 7.0-7.0.2, Adobe Acrobat 5.0-5.0.5, 6.0-6.0.3, 7.0-7.0.2


Platform: Windows, Mac OS, Linux, Solaris


Vulnerability Identifier: CVE-2005-2470


Overview: Adobe has discovered a buffer overflow in Adobe Acrobat and Adobe Reader. This issue has been addressed and a product update is available to proactively mitigate potential malicious activity. Adobe always recommends that users keep their systems up to date and install the latest update of these applications.


Effect: If the vulnerability were successfully exploited, the application could crash with an increased risk of arbitrary code execution."


And there are a few others.

Reply Score: 1