OpenOffice.org has been increasing in both popularity and visibility over the past several months. Version 2.0 has added a number of new features to bring it closer to feature parity with Microsoft Office, and it also offers full support for the Open Document format. However, a report just released by the French Ministry of Defense says that it still falls short of Microsoft’s office suite in one important area: security.
…as OpenOffice is open-source, the French Ministry of Defense can actually do something about it.
I sure hope more governments and companies contribute and test openoffice, so we can bring it to ms office level, and beyond.
Yup, the French Ministry of Defense has a team of oss programmers just waiting around to fix insecure software that they may choose to use.
That makes tonnes of sense!
In fact, whenever my girlfriend has a problem with software, I just bring in my team of crack oss programmers to get the job done. And since they’re oss programmers, they work for free, eat my old pizza crusts and live in my closet, right?
enough sarcasm
Not everybody/organization has a team of programmers, or even one.
you don’t think the french national ministry of defence (one of the world’s nuclear powers) has an IT staff, complete with full time devs to work on internal projects?
and as you really should know by now, OSS doesn’t mean unpaid. open source is methodology, not a price tag, something the big boys in IT have realized for some time now.
you don’t think the french national ministry of defence (one of the world’s nuclear powers) has an IT staff, complete with full time devs to work on internal projects?
i’m sure nobody denies the French Ministry of Defense has an internal IT staff (as of course do any organization with enough resources)
The point is, having developers devoted to in-house development and deployment of SW projects, does not *automatically* mean they shall be expected able to fix bugs and problems in a program that somebody else has written and their organization has adopted for the sake of saving some money ( and especially OOo, which is not the best example of a “simple” and affordable code base – that is, not really one a developer can contribute to, without a specific knowledge and acquaintance as to how OOo itself is architected)
Although, I’m nearly positive that for the price it would cost to license all the copies of MS Office that they will need to buy (governments are sorta large, afterall) – and then all the costs to upgrade those same copies every few years, etc… that they could just as easily pay someone to fix the issues with OpenOffice.org.
It is about TCO afterall right? The longer they use OpenOffice.org, the more they save. The longer they use MS office… well…
that they could just as easily pay someone to fix the issues with OpenOffice.org
Indeed.
and especially OOo, which is not the best example of a “simple” and affordable code base
So this “someone” they pay could be the OOo project itself: the devs there have all the expertise required and are motivated enough to squash the bugs. For the government making a dontaion to the project will be ways cheaper than paying licensing fees to MS.
I really don’t understand the comments about complicated code base and steap lerning curve for joining in. They are all true, but miss the point that they are alredy people which does not suffer from this disadvantage: the people who make the product.
I work for a US Air Force program full of SW devs that are responsible for coding applications that track over a billion dollars in gov’t assets. I cannot tell you how pissed the program office would be if their devs had to stop working on their primary jobs to bug fix a word processor. “you can just fix it yourself!” is one of the worst reasons I hear for using open source.
<…>problems are conceptual, rather than due to sloppy coding. “We did not exploit security holes,” he said.
So… problem still remains between chair and keyboard;)
The important thing is that the French Ministry of Defense will be presenting their findings to OpenOffice.org, who, I am sure, will move to correct whatever problems were found. This is the way OSS works; bugs/problems are reported and corrected. Proprietary software vendors aren’t always so responsive.
…In other news the French Ministry expressed concerns they were not able to evaluate competing software by Microsoft due to a lack of available source code to audit…
Sometimes the most important factor to consider may be the devil you know and can prepare for. How many vulnerabilities exist in Microsoft Office none of us are aware of except perhaps those about to exploit them? At least with Open Office if they so choose their IT team can work around any vulnerabilities until they can be fixed; with Microsoft you and everyone else has to wait first for the security to be compromised and then for Microsoft to decide whether or not it is worth their time to fix the issue, and even then once the fix is ready, for Microsoft to release the damn thing…
–bornagainpenguin
…In other news the French Ministry expressed concerns they were not able to evaluate competing software by Microsoft due to a lack of available source code to audit…
I’d like to see a source for this claim. Or were you just spreading FUD?
Original article: http://www.zdnet.fr/actualites/informatique/0,39040745,39362096,00…. (French)
Instead, they did say this (transliteration): “We can confirm that OpenOffice seems more dangerous than its commercial equivalent published by Microsoft.” The researchers did test both products. They did not find the vulnerabilities in OpenOffice by looking at the source code; instead, they found the vulnerabilities by trying exploits on the compiled binaries, just as they did with Microsoft Office.
Sorry, not an attempt at FUD, just trying to point out here that the availbility of the source code would seem to make investigating OO.o a bit easier than trying the same tests against the black box Microsoft Office is… Some of the ‘security’ of Microsoft Office may only be an illusion due to no one being able to completely and independantly audit that code base such as they did with OpenOffice.org. We may never know…
–bornagainpenguin
just trying to point out here that the availbility of the source code would seem to make investigating OO.o a bit easier than trying the same tests against the black box Microsoft Office is…
Bear in mind that the MoD’s testing used a black box approach for both MS Office and OpenOffice.org.
Considering governments and other organizations can license the source code to windows, under MS’s “Shared Source” program, your statement is nothing but FUD, but thanks for coming out
Sure…but are they fixing the same bug as the other governments and organizations? Does the shared source get shared with anyone besides Microsoft?
–bornagainpenguin
OO hasn’t been subjected (in my opinion) to the kind of scrutiny that MS Office has. The only thing that you seem to hear about in reviews is whether it has a particular feature or not, not whether it’s secure. Some of these problems reported by the French Ministry are pretty darn fundamental (macro execution viruses?!? give me a break?!?). It’s simply going to take the OO team a little longer to close their holes.
The only thing that you seem to hear about in reviews is whether it has a particular feature or not, not whether it’s secure.
True enough, I have seen the same unfortunate trend. However, given the code (messy although it is alleged to be) is available to perusal I imagine they’ll clear many of these holes up in a surprisingly short amount of time. Then again at least one of these security issues seems less a security issue as much as it is a common sense one IMHO… The lack of a macro warning seems to be more a user-friendliness thing than anything else.
The thing I’m most curious about is how ‘all’ this is known given the report is “classified” by the French Government, and I find myself curious as to whom benefits from this leak– especially as being the report is classified there seems little way in which anything can be verified or refuted…
–bornagainpenguin
I think that the fact that OO hasnt been subjected to the eyes of crackers (I wont call them hackers, cause they’re not) is actually where most of the conceptionalization of security around OSS arises. Yes, Linux and Apache are used in most webservers, which is why the Linux kernel and Apache are relatively secure.
However, it’s generally not the core of Windows that causes the security problems. Its the decisions of integration, and the poor coding in IE, that cause most of Windows problems. With Linux, well, role/account based security settings could mitigate alot but it doesnt prevent security problems. In the end, when Linux becomes an attractive target for Malware/adware/etc (and it will), it’ll be the enduser programs that are the problem. Because they DONT see the massive auditing that the kernel, and firefox, etc. get.
You might think Macro Execution is a fundamental problem, but at the same time its an OBVIOUS problem. OO might be copying off of office to reach feature parity, but why did it copy the same obvious problem, without the followup warning dialogues or even present solutions?
I know, I’m rambling.
One of the most common misconceptions about OSS is that if there is a bug or security vulnerability in the software, the user can just dive into the sources and fix it. This is definitely not the case of the average user. I, for example, am far too dumb to understand somebody’s complex source code, much less fix the problem. I’m totally at the mercy of the OSS developers, who, fortunately for people like me, are generally much better programmers than myself. 🙂
maybe not you or me, but someone can, and have done in the past.
some time ago there was a guy wokring on porting over a audio program from amiga to linux, and for some reason the way the program used the ram of the system triggerd a bug in the kernel.
he reported it on the proper channels, people started to look into it, and he himself posted a temporary fix later on.
the main thing about OSS and free software is that one is not at the mercy of the corporation that made the program.
just look at the recent anouncment that win98/ME bug fixes will no longer be made by microsoft. this would not be so bad if someone else could pick up where microsoft left of, but noone can.
Actually, the French Government makes a strong point here. Microsoft lately has had an extreme push towards security, for good reason. Business and consumers are sick of virus, trojan, malware, and adware infestations. Windows, Office, etc. now bitch and complain constantly about how your actions can effect you. Which is good, because the end user still remains, to put it harshly, retarded when it comes to system security. The problem ISNT just Microsoft’s.
However, despite some peoples preconcieved notions that Open Source is more secure (its really relative), the fact of that matter is that Open Source ASSUMES it. I know I’m generalizing but bear with me. This article about Open Office raises a strong point. There’s no real warnings saying “Hey, this might be a bad idea.” Now, to people who read this site, or various other tech sites, running a macro without some thought or examination is an obvious no-no; to the lay person? Not so much.
Linux/Solaris/*BSD/OpenSource-whatever might be (I lean neither way since everything I’ve seen so far has had an obvious bias) more secure because of the ability to do code audits by anyone, but that doesnt mean you can take it for granted. Even declared user roles doesnt prevent extreme damage to the USERS information, which in most laymens respects is just as important as the system.
Does your grandmother backup her data? Unlikely. Just as Microsoft now makes warnings for everything, OpenSource must also create warnings, and hold the hand of those who DONT know, or are too lazy to find out, what their actions might cause.
Btw, I run Linux and OSX as daily desktops at home, and run Windows and Linux at work. They all have good points, and they all suck in other areas.
Excellent post! I agree!
However, despite some peoples preconcieved notions that Open Source is more secure
That’s not preconcieved notions but just facts. The bias came after people realised Open Source (but mostly Free Software) based OS were more secure despite the big number of them deployed by amateurs.
the fact of that matter is that Open Source ASSUMES it
The fact of the matter is that YOU assume that OOo is the same kind of beast as most Open Source (and Free Software).
The truth is that it isn’t. Most things we call Open Source are developed like that from the beginning. This is NOT the case for OOo or even the Gecko engine.
These were closed apps before, and it seems it makes a BIG difference.
I know I’m generalizing but bear with me
I rather think you’re misleading.
Linux/Solaris/*BSD/OpenSource-whatever might be more secure because of the ability to do code audits by anyone, but that doesnt mean you can take it for granted
Of course not, that’s just NOT what happened. There’s a name for people trying to deny reality by giving people wrong logic and showing it’s wrong…
Even declared user roles doesnt prevent extreme damage to the USERS information, which in most laymens respects is just as important as the system
This is BS ! You’re not talking security here. Making backup is not for security. A hard drive crash can destroy your system AND your users data. That does not make it a security problem. Good security won’t assure you that your hard drive won’t crash.
Does your grandmother backup her data? Unlikely. Just as Microsoft now makes warnings for everything, OpenSource must also create warnings, and hold the hand of those who DONT know, or are too lazy to find out, what their actions might cause
Thanks for the advice. You’re a bit late, it does already. We have even passed this stage, as people already reacted to the big dialogs in KDE for example.
The macro problem was a bug that is already corrected in OOo 2.0.3. However, this was not one of the conceptual problem highlighted by the study, but the general said OOo at least goes in the right direction. These problems are harder to solve, the patches will be way bigger.
They all have good points, and they all suck in other areas
If you say so. I’ll be honest, I don’t see one sucking point in my Linux at home, it fulfills all my needs. Well, some things are missing, but in this case, these are external entities that sucks, not my Linux systems. For example, when a new app is not available for my Linux system, or an IHV does not supply driver, I have a hard time thinking that’s because my OS sucks, I just think that’s because the app vendor or IHV sucks.
The fact of the matter is that YOU assume that OOo is the same kind of beast as most Open Source (and Free Software).
The truth is that it isn’t. Most things we call Open Source are developed like that from the beginning. This is NOT the case for OOo or even the Gecko engine.
These were closed apps before, and it seems it makes a BIG difference.
Although you are right about OpenOffice, you are wrong about Gecko. The Gecko engine was recreated from scratch and the old netscape code was ditched in 1999 one year after the mozilla project was launched and has therefore been Opensource code from the start.
AFAIK, there is less than 1% legacy Netscape code in the current Mozilla source code and this code is, surprise, mainly in the NSS (Network Security Services) libraries.
Security is a process and I agree with you that Opensource is inherently a better approach to security in the long term, but it doesn’t mean closed-source software can’t produce quality code security-wise (like netscape’s Security libraries).
…for OpenOffice.
OpenOffice has only recently made the change from binary to open-source. It has a very large codebase.
Its only recently IMO become functional enough. Its been reported that malware attacks on Office are becoming more common.
If the french government have thought enough to run tests to test the security, and as the french article suggests are prepared to co-operate with Open-office. I can only see a more secure office.
The only thing that concerns me, is that this task seems to has taken a year. Apart from several releases have taken place in that time. Improving security throughout that time would surely have been beneficial to everyone.
The Lt Col Eric Filiol commented the reader’s posts to the original articles and said a few important points :
– the vulnerabilities detected still impact 2.0.3
– it doesn’t in any way rule out Oo as an option for the French administration
– they are in contact with the Oo team and will help them fix vulnerabilities in OpenOffice every time the OpenOffice developpers will ask them for help to secure the product !!
Which is fantastic since (I googled a bit ) this military guy is a world expert in computer security.
So on the short term it is bad news to learn that Oo isn’t secure, but on the long term it is good to know that security experts are directly collaborating with the project.
so just like when linux got a NSA developed security addon (SElinux), openoffice will get help to become more secure from the french military (and please, no comments about the quality of the french military).
One has to wonder if they have exposed a weekness in Open Office or just another security flaw in the operating system they were testing on. Does OO behave the same when run on Linux, OSX, eCS, BSD, Solaris or VMS?
I’d like to hear feedback in a few months from Oo about that and see if they have been given all details about those security issues.
Communication is not always a field military forces shine (not talking about stuff seen on TV but ‘real’ communication lol).
@hobgobelin : afaik political debates have nothing to do here and comments about french, US or whatever military forces usually only get people kinda crazy.
I use `vi` and it serves me well.
Would you also happen to have a beard and a framed poster of “See figure one?”
No beard. But I wear red suspenders and will give you a dime as a collection to purchase a real computer using a real operating system.
Simply saying because there is no warning that a macro can cause problems means it is less secure, is simply wrong. To evaluate the security you must look at the underlying OS and the application, together. The fact is macros would be limited in their scope due to Linux’s permission model. Since currently with XP most users run with administor rights, a macro can be much more destructive. I don’t think a macro that wipes your home directory/My Documents can be equally compared to one that could wipe your hard drive and OS.
(Yes I now changes are coming with LUA in Vista)
In this study OO is compared to MS Office so I take it that this test was done on Windows. In that Windows XP was designed by people who though security was installing a virus protection program, My question is …
Since I use OO on Linux – just how many of the security problems affect me?
Would I be more secure using XP and MS office than using OO on Linux?
Maybe what is happening is that the security holes exist because OO is worked on by people that are paid by Sun Micro systems, Red Hat, and IBM. All primarily “nix” shops.
security?
In case you haven’t followed the news for the last several years: exploiting windows with office happens *all the time* I think there was some new powerpoint exploit discovered yesterday.
Is the entire BFD about OO not warning before running a macro?
Maybe it’s just me, but the constant stream of warning I get from windows is annoying and pointless, after a while I just routinely hit the “okay” button every time.