Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

OpenOffice.org Security 'Insufficient'

CmdrTaco posted more than 7 years ago | from the taunting-crowds dept.

184

InfoWorldMike writes "IDG News Service's Robert McMillan reports that researchers at French Ministry of Defense say vulnerabilities with open source office suite OpenOffice.org may rival those of Microsoft's version. With Microsoft's Office suite now being targeted by hackers, researchers at the French Ministry of Defense say users of the OpenOffice.org software may be at even greater risk from computer viruses. "The general security of OpenOffice is insufficient," the researchers wrote in a paper entitled In-depth analysis of the viral threats with OpenOffice.org documents. "This suite is up to now still vulnerable to many potential malware attacks," they wrote. The OpenOffice.org team has already fixed a software bug discovered by the researchers, and the two groups are in discussions about how to improve the overall security of the software. "The one real flaw in the programming logic has been fixed," said Louis Suarez-Potts, an OpenOffice.org community manager. "The others are theoretical.""

cancel ×

184 comments

"theoretical" (5, Insightful)

dmiller (581) | more than 7 years ago | (#15899395)

It is disappointing to see a free software project dismissing threats as "theoretical". Today's "theoretical" vulnerabilities are tomorrow's exploits. Worse, the article hints that these threats are fundamental design flaws - the developers should be working to fix these and not issuing PR speak to cover them.

Re:"theoretical" (5, Informative)

morgan_greywolf (835522) | more than 7 years ago | (#15899478)

The PDF presentation that the group gave was en Français, but I got the gist. I'd post a translation, but my French is a little rusty. ;) Anyway, they seem to be saying that because OOo doesn't support authentication certificates for documents or macros, and because OOo has an API that allows you to program in several different languages (Python, VBScript, Perl, C++, etc.) and that OOo has no solid verifiable security model, that the suite is fundamentally insecure.

I can see where some of this gets dismissed as "theoretical" -- for instance, while OOo has such an API, this isn't any more secure or insecure than the fact that other applications, like MySQL, for instance, have a similarly flexible API. Ditto for Microsoft Office or any operating system.

The information on authentication certificates seems a little outdated -- OOo 2.0 supports digital signatures for documents and macros and even security settings that prevent macros from being run that are not signed. I think that as for a solid, verifiable security model, OOo 2.0 seems to have one based on digital signatures.

Re:"theoretical" (4, Informative)

Red Alastor (742410) | more than 7 years ago | (#15899572)

I speak French, let me translate.
  1. "Official" MS Office competitor.
  2. Share of the market rising.
  3. Cheap but...
  4. What about the real security of OpenOffice ?
  5. Viral analysis by proof of concept
  6. Numerous integrated programming languages : script shell, VBScript, Python, Perl, Asp, Java.
  7. Rich macro developing.
  8. Numerous existing hijackable execution points
  9. No protection mecanism for macros
  10. zip format is makes virus penetration easy.
  11. Macro security is easy to bypass. "Trusted" folders are defined. Any macro placed in those folders is by definition, trusted.
  12. Document signature do not really consider macros. Bypassing possibilities
  13. Macros can be linked to events or services.
  14. Other mechanisms : macro chaining, hypertext links, inter-application execution, OLE
  15. Many mechanisms are usable for an infection
  16. All known viral techniques known for Microsoft Office can be translated under OpenOffice.org
  17. Every kind of infection is doable. (Infection and auto-reproduction)
  18. Globaly, OpenOffice's suite is a bigger infection risk than Microsoft's suite.
  19. No real security concepts.
  20. Many functional viral roots were made as proof-of-concept
  21. Infection successful no matter the security setting of the user.
  22. Some senarii can act without alerting the user in any way (scenarii is a stupid plural in French too but they used it in the original)

Then they go on to explain (still in powerpoint bullets) that they managed to write a macro that sends an e-mail with an attached file which then executed C code which modified dicOOo.

And they conclude that infection risk under OOo is MAXIMAL and its use should be discouraged for security reasons.

Re:"theoretical" (4, Informative)

Red Alastor (742410) | more than 7 years ago | (#15899617)

I'm replying to my own post but the other was the translation and this is what I think of it. I think it's bullshit.

Point number 10, what the fuck ? zip is just a comression format. Point number 11, trusted folders are defined by YOU. So most people don't even have them. But if it's convenient to you to define a folder where all macros are trusted how is it different from accepting every macro while you open the document ? It must be quite convenient for developers who want to test their macros. Most other points ? Way too vague to mean anything. Beside, if the danger for an office suite which isn't really attacked right now is "maximal", how should be classify MS Office ?

And their famous proof-of-concept... they won't even tell us how they got it to run. My guess is that they defined a trusted folder and put it in.

Until they reveal that, this document is worthless. Like that other proof-of-concept from I don't remember which AV vendor. Their macro (if you accepted it) would download a porn picture from the net and put it in the document. I guess it's much more dangerous than sending documents with the picture already in.

Re:"theoretical" (0)

Anonymous Coward | more than 7 years ago | (#15899628)

zip format is makes virus penetration easy.

So, Word, with its undocumented format that third parties have great difficulty in writing and reading is soooo much more secure.

Right.

Re:"theoretical" (3, Funny)

Anonymous Coward | more than 7 years ago | (#15899652)

No, no, no... if you can unzip faster, you can penetrate faster. And if you happen to have a virus...

Re:"theoretical" (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#15900041)

>senarii

Where the FUCK do you people come up with this crap?

Do you sit around trying to see who can come up with the most idiotic perversion of the English language, or are you really that stupid?

Re:"theoretical" (1)

Red Alastor (742410) | more than 7 years ago | (#15900193)

I took this crap in the original document. Scenarii is as stupid in French as virii is in English so I left it intact.

Re:"theoretical" (3, Insightful)

colmore (56499) | more than 7 years ago | (#15899686)

Someone needs to explain this to me. Why do office suites need these features? For what are they used? I've never worked in a big office that actually uses the macro and scripting features of productivity software.

Can intra-office communication not be done via RTF? Why do we need document formats that rival PDF and layout-software fileformats in complexity?

It seems like you could avoid all of this using a smaller array of utilities and custom scripts for office productivity, it just strikes me as impossible to create a scriptable, monolithic, document engine that won't have some sort of security hole on some platform. It seems like a cluster of smaller, more agile tools is the way to go.

Re:"theoretical" (4, Interesting)

TheRaven64 (641858) | more than 7 years ago | (#15899927)

I've never worked in a big office that actually uses the macro and scripting features of productivity software.

I worked for a little while for a (very large) organisation that made heavy use of scripting in Office. Every single type of document had an official corporate style. It had a (scripted) wizard that went through and added the sections you want, automatically filled in various bits of it, etc. After five minutes with the wizard you would have a multi-page skeleton document which would then just need text adding.

If I had been implementing the system from scratch, I would have made it intranet-based, with a TeX backend for generating PDFs, but they had an enormous amount invested in the it, and a team working on updating and fixing the templates. It was sometimes a problem ensuring that you had the right version installed (which is why I would go for a client-server model), but even that could probably be fixed by scripting (simply have the wizard check it was the latest version and fetch / install it if now).

Re:"theoretical" (0)

Anonymous Coward | more than 7 years ago | (#15900237)

Some companies use office productivity software to produce reports. That in itself is not an issue since the company could generate reports as PDF, HTML, or any number of other formats. However, once a user had a report, they would frequently need to modify the report before sending it to a client. The company may also need to generate the report in real time on the client machine.

When dealing with reports, macros are a great place to store the code. You can create a very generic system to pull the data back from a stored procedure and pass it into a code template. If you need to change code for the template, you need only test and deploy a new template rather than an entire application.

Also, since the company already has licenses for the office software, they might was well reuse the license rather than purchase a license for a reporting system.

Re:"theoretical" (1, Informative)

portmapper (991533) | more than 7 years ago | (#15899480)

It is disappointing to see a free software project dismissing threats as "theoretical". Today's "theoretical" vulnerabilities are tomorrow's exploits. Worse, the article hints that these threats are fundamental design flaws - the developers should be working to fix these and not issuing PR speak to cover them.

OpenOffice is quite buggy, as porting it to OpenBSD shows that OpenOffice has many stupid bugs [openbsd.org]

Re:"theoretical" (0, Offtopic)

Skater (41976) | more than 7 years ago | (#15900176)

Nothing like using the font "Comic Sans MS" to convey "BSD Is Great" to me. That seems like an especially bad travesty - I don't care for it when I see it in Windows, but using it in a BSD-related presentation has to be part of some diabolical scheme to discredit BSD.

Re:"theoretical" (1)

0racle (667029) | more than 7 years ago | (#15899501)

"It's only a theory."

Re:"theoretical" (1)

Sikmaz (686372) | more than 7 years ago | (#15899514)

The sentence above that also says:
""This suite is up to now still vulnerable to many potential malware attacks," they wrote. The OpenOffice.org team has already fixed a software bug discovered by the researchers, and the two groups are in discussions about how to improve the overall security of the software."

So the important issue was fixed and now they are discussing how to improve security overall, it sounds to me like they handled it perfectly.

Re:"theoretical" (2, Insightful)

Marcion (876801) | more than 7 years ago | (#15899724)

It seems to be OpenOffice on Windows. I have 64bit Linux, behind an Selinux hardened firewall - nothing is able to exploit office software from over the network. I send out documents in PDF format. People likewise send me docs in PDF or text (or Word arrr). If I was sent an ODF then I would probably open it with Abiword, is the macro going to exploit that, what about Koffice?

Not being part of the software monoculture has enough security benefits that I doubt it would ever pay to attack us when there are enough Windows zombies out there to get first.

Petard needed for hoisting (0)

Anonymous Coward | more than 7 years ago | (#15899830)

In an amazing echo of the open source community's criticisms of Micro$loth for the past ten+ years, people ditching Open Office were noted as saying "it's too bad they didn't bother writing it securely the first time".

Re:"theoretical" (1)

miro f (944325) | more than 7 years ago | (#15899951)

the developers should be working to fix these and not issuing PR speak to cover them.


actually, I think the best option is to do both, and that is probably what the OO.o team are doing (at least, that's what I hope the OO.o team are doing.) Just because they're downplaying the importance of a security issue doesn't mean they're not fixing it.

Of course, it doesn't mean they are either

Re:"theoretical" (2, Informative)

mspohr (589790) | more than 7 years ago | (#15900172)

TFA said they were working to fix them in cooperation with French security experts. They were not "dismissed" but rather they have started to patch them.

pfft (-1, Troll)

Anonymous Coward | more than 7 years ago | (#15899402)

May be vulnerable to viruses on windows(probably microsofts fault),what about other operating systems?Excuse me if i'm wrong.

Thats a cool thing with open source (4, Insightful)

CrazyJim1 (809850) | more than 7 years ago | (#15899403)

If someone finds a bug or flaw, it doesn't take someone else very long to fix it. Now when it comes to corporations, they have to wait to bill you for the next release, and you pay it too because the fix of bugs alone justifies buying the new version.

Re:Thats a cool thing with open source (4, Insightful)

daniil (775990) | more than 7 years ago | (#15899458)

The cool thing about corporations is that it takes them longer to produce new bugs and set them loose in the wild.

Re:Thats a cool thing with open source (1)

Vexorian (959249) | more than 7 years ago | (#15899601)

That statement is certainly wrong to me, at least as a generalization, a great counter example would be microsoft.

Re:Thats a cool thing with open source (1)

Dorceon (928997) | more than 7 years ago | (#15899575)

Or they issue a hotfix that's automatically downloaded and installed.

Re:Thats a cool thing with open source (2, Insightful)

Pharmboy (216950) | more than 7 years ago | (#15899778)

Or they issue a hotfix that's automatically downloaded and installed.

You forgot to add " but often breaks some other piece of software."

The problem with Open Office (2, Informative)

theshowmecanuck (703852) | more than 7 years ago | (#15899632)

... is that when they do have a security 'fix', they force you to update by downloading the entire suite... they don't have differential patches. I personally get sick and tired of having to download around 100 MBytes of app, uninstall the original, and re-install the new. Granted on my Linux box the package updater will do all three, but the updater takes forever to download the files. Quite frankly it is a pain in the ass. Sometimes I delay installing an update because of it (sometimes quite a while). Other than OO, I really am pretty diligent about updating my systems, so I can imagine there are those who just won't bother updating OO at all. I would think this is especially for those who are still on dial-up where a 100 meg download can take many, many hours.

In my opinion, if they want to say they get fixes out quickly, I can call bullshit. Just because you have the code complete doesn't mean the fix is complete. It still needs to be distributed to all the installations. If this is not done because the process is so onerous, then you can't say the fix is released faster than M$. As much as dislike monopolies, they do make the update process a lot less painful.

That said, it is a pretty decent office suite.

Re:The problem with Open Office (0)

Anonymous Coward | more than 7 years ago | (#15899755)

Then use StarOffice on Solaris, like Sun want you to.

The problem you highlight, is a problem with all Linux distros that I've tried. No distro seems to provide proper patch level dependency checking or provides incremental patch files. It's just most obvious with OpenOffice being (typically) the largest set of packages on the system.

So, bad luck, at least it's free.

Re:The problem with Open Office (1)

penix1 (722987) | more than 7 years ago | (#15900344)

"The problem you highlight, is a problem with all Linux distros that I've tried. No distro seems to provide proper patch level dependency checking or provides incremental patch files."

Then you haven't done Gentoo. Even big programs like Xorg, KDE, KOffice, etc. are done now in meta form allowing an update to one part without doing it all. I eventually see programs like Ooo going that route in Gentoo as well. Any other dependancy change is handled by revdep-rebuild. All-in-all, Gentoo is a fine distro for this feature alone...

B.

Re:Thats a cool thing with open source (2, Informative)

nwbvt (768631) | more than 7 years ago | (#15899647)

I've seen plenty of security bugs in open source code that don't get updated right away. Open source is not all that different from closed source software in this sense. While it certainly is fun to pretend open source is perfect and is in every way better than commercial software, that simply is not true.

Re:Thats a cool thing with open source (1)

Pharmboy (216950) | more than 7 years ago | (#15899805)

On the server side, critical security bugs are fixed on average of one to 3 days in Linux. Be it a kernel issue, sshd, apache, bind, vsftpd/proftpd, sendmail or any other widely used daemon.

Minor programs not as fast but still faster than MS and the main programs that offer the greatest possibility for root exploits have always been fixed in just a day or two. I welcome any example where it took 4 weeks for a fix for a main package.

I don't think Linux is safer because I use it on my servers, I use it on my servers because it has the POTENTIAL to be safer if maintained properly. Still using Windows on the desktop for 90% of system.

I am glad MS has gotten better about patches, but they still done anything nearly as fast as the average large, mainstream OSS package does for updates.

Re:Thats a cool thing with open source (2, Interesting)

nwbvt (768631) | more than 7 years ago | (#15900160)

"I welcome any example where it took 4 weeks for a fix for a main package."

Well offhand, here is one [sourceforge.net] opened 3 years ago which still hasn't been fixed, though it would be difficult to exploit. Basically what happens is that that a machine with trust level 4 (the default is 3, so again this would be difficult to exploit) to gain level 5 access (meaning they can run arbitrary commands on computer running the service. No, STAF/STAX is not as big as Linux (which is why I was talking about open source in general, not just Linux, which isn't even the software this article was about), but it is used in many corporate environments as an automated testing tool.

Re:Thats a cool thing with open source (2, Interesting)

Penguin (4919) | more than 7 years ago | (#15899688)

Yeah, open source is great. I'm so happy that after a year nobody responded to my Firefox bug report marked as security related issue. After a year I suppose someone got a notification email and re-wrote the summary, but it is still marked as "NEW". This bug is over a year old, no way it could be regarded "NEW". It should be "FIXED" or at least "INVALID" (or "GET A LIFE, MORON"). Currently it is assigned to "Nobody's working on this, feel free to take it". Yay, the power of open source.

I'm sorry that you put that much trust into a community. It seems like people are more fond of a thought of "the great thing is that when we are THAT many people present at the party surely someone want to do the dishes (and fetch the dead guy out of the pool)" instead of a schedule of "No security bug older than one day/week/month/year" should be regarded "NEW", but should assigned to any responsible person".

I'm not heckling the open source community. I'm part of it. But happy-go-lucky progress just doesn't cut it for security efforts. BIND is open source as well, but its security track record has been awful, especially by comparsion of the simplicity of a DNS server versus web servers (or any other kind of application)

(the mozilla bug is #295922, requires privilege access, no biggie, not a problem for default or average users, but there is still no reason for a security marked bug to have status "NEW" after a year)

Re:Thats a cool thing with open source (1)

westlake (615356) | more than 7 years ago | (#15899777)

Thats a cool thing with open source...If someone finds a bug or flaw, it doesn't take someone else very long to fix it. Now when it comes to corporations, they have to wait to bill you for the next release, and you pay it too because the fix of bugs alone justifies buying the new version.

Last I heard, Sun was still providing the money, manpower, leadership, and material resources going into the development of OpenOffice.org. That contributions from outsiders were trivial, given the scale and complexity of the project.

"If it looks like a duck and quacks like a duck..."

Just maybe an open source license and free distribution doesn't change things much internally from the way they are done in Redmund.

Re:Thats a cool thing with open source (2, Informative)

TheRaven64 (641858) | more than 7 years ago | (#15899939)

contributions from outsiders were trivial, given the scale and complexity of the project.

Sun does about 80% of the work on OpenOffice.org. This is a significant majority, but I would hardly classify 20% a trivial. The second largest contributor is Novell. Since they have OpenOffice.org deployed on every single one of their employees machines, they do a lot of work fixing dogfood bugs.

Re:Thats a cool thing with open source (1)

black mariah (654971) | more than 7 years ago | (#15900219)

You mean from the way things are done in Boston, right? 'Cause this is the same way that most of the GNU tools were initially developed.

Let me think... (5, Funny)

DumbSwede (521261) | more than 7 years ago | (#15899407)

which should I use, hmmmm...
Microsoft's Office Suite IS being attacked.
OpenOffice could, possibly, theorectically, be attacked.

Re:Let me think... (1)

daniil (775990) | more than 7 years ago | (#15899469)

If you have to choose between the state of war and the state of constant fear, then you cannot possibly lose, can you?

Re:Let me think... (0)

Anonymous Coward | more than 7 years ago | (#15899502)

All joking aside, that is a dangerous way to think. No matter what platform or software you run, you should never become complacent with even potential security threats. Why do you think we still vaccinate children against polio?

Well (1, Interesting)

mysidia (191772) | more than 7 years ago | (#15899409)

They may find the security of OpenOffice to be insufficient. Their grounds for the finding seem rather questionable to me, given the theoretical nature of said flaws, and the very realized nature of Office security flaws.

I for one find the security of MS Windows as a whole to be insufficient. Quite clearly the only way to achieve a sufficient level of security is to use a patched BSD kernel, and use Vi or Ed for all editing tasks instead of MS Word, OpenOffice, or other similar GUI application.

In many ways, integrated GUI applications have ineffective security compared to segregated command line applications. When you type a command into a computer, you can be a lot clearer as to what the computer will do.

You separate viewing some text from viewing a picture, etc.

Re:Well (1)

LinuxIsRetarded (995083) | more than 7 years ago | (#15899781)

I for one find the security of MS Windows as a whole to be insufficient.

Perhaps that's because you're ignorant of the security measures in Windows 2000 and later operating systems. If you run as an administrator, you place yourself at increased risk (this is no different than running as root on *nix). I have no problems running as a reduced privilege user with XP Professional. Yes, I've had to tweak file and registry permissions due to a few poorly-written applications, but that's not a flaw in the operating system- that's just developers being lazy and ignorant.

Re:Well (0)

Anonymous Coward | more than 7 years ago | (#15900019)

I stopped using windows software around 1993, glad to see that is has only taken MS 13 more years to get to the point my Linux box was in 1993. Keep up the good work, MS!

Many eyes at work. Sounds like a + not - (5, Insightful)

MCRocker (461060) | more than 7 years ago | (#15899413)

This sounds like a strength of the open source model. Many eyes can include security auditors too. The weaknesses get reported and fixed.

The closed source model doesn't offer the same level of opportunity to find flaws. Even when people do find flaws in closed source products the publishers are as likely to bury the report, deny the flaw it exists or use DMCA to sue the people who disclose the problems.

Chalk this up as a win for the open source model... at least for large high visibility projects like Open Office.

Re:Many eyes at work. Sounds like a + not - (2, Interesting)

kz45 (175825) | more than 7 years ago | (#15899564)

"This sounds like a strength of the open source model. Many eyes can include security auditors too. The weaknesses get reported and fixed."

This seems to be the call of the open source zealout, but it is not reality. 99% of the people using Open Office are users. The other 1% contain people that might have the ability to look at it, but may not have the time or patience.

I have been involved with many open source projects over the past couple of years and it usually ends up like this:

1) someone emails a bug to the main programming team
2) someone on the programming team (when they have time..since it is a volunteer position) will look through the code and make the changes
3) rinse and repeat

Proprietary apps actually seem to be better in this respect because at least the main programming team is usually working on it full time and can implement changes in a timely fashion (because they aren't working other jobs). In bigger corporations, this does not always happen because of corporate BS.

"Chalk this up as a win for the open source model... at least for large high visibility projects like Open Office."

Not really. Many proprietary apps still have people that can and do find flaws (much in the same way they find them in open source apps. Sure, the source code helps, but I would imagine it's easy for many of the security experts to test it from the outside).

"The closed source model doesn't offer the same level of opportunity to find flaws. Even when people do find flaws in closed source products the publishers are as likely to bury the report, deny the flaw it exists or use DMCA to sue the people who disclose the problems"

so why did the people at openoffice.org pass many of the flaws off as theoretical?

Re:Many eyes at work. Sounds like a + not - (1)

electroniceric (468976) | more than 7 years ago | (#15899819)


"This sounds like a strength of the open source model. Many eyes can include security auditors too. The weaknesses get reported and fixed."
This seems to be the call of the open source zealout, but it is not reality. 99% of the people using Open Office are users. The other 1% contain people that might have the ability to look at it, but may not have the time or patience.

While I agree that the attitude that open source fixes all vulnerabilities is blasee, your statement is also a bit too broad. Secure projects are generally those that have been engineered to be secure from start to finish. Apache is quite secure, and OpenBSD sets the bar there. This is because these projects are carefully designed and managed for security. MS Office's general insecurity comes from its incredibly ugly code base - apparently it is just a mess in there - which is due to the product having been munged together by acquisition rather than engineered from scratch. Sadly, OpenOffice appears to have nearly the same problem - the original code base was very ugly, and while some cleanup has been done, there has been no general design process to ensure that problems are fixed at a broad level rather than an individual one. So there's very likely a lot of merit to MoD's claims.

      Application security will always be a problem, both in terms of modifying or misusing the OS, and in terms of wrecking users data. The former can and will be mitigated by better sandboxing (e.g. some sort of Zones or virtual machine approach for each app), while continuous backups and shadow copies may help the latter. I suspect you'll see security evolve in two ways - one it will take on much more importance, but two it will also move towards the "plan for flaws and keep things working" approach you hear Amazon, Google and others adopt these days. If OOo can move towards that model, it continue to be a fine alternative, but that requires somebody rescueing it from its enduring stepchild status. Time will tell whether that turns out to happen.

Re:Many eyes at work. Sounds like a + not - (2, Insightful)

someone300 (891284) | more than 7 years ago | (#15900183)

Well, considering that a higher proportion of the users of OSS will contribute fixes and bug reports than the equivelant for proprietary software, it doesn't matter as much if fewer of the main programming team are always available. Also, companies that are worried can fix security threats internally and submit the changes back. I'm not a major OSS developer but I've contributed many bug reports to GNOME and some to the linux kernel, and they've all been fixed. I have submitted some usability improvements in patch form too, which can't be done with proprietary stuff. Sure I'm only one person, but if you get even a tiny proportion of the users of a popular piece of software willing to get messy with the code, then it's a positive thing.

The problem I find with most proprietary apps isn't the development model as such, but there's rarely a clear place to forward suggestions and bug reports. For Microsoft software you get the crasher bug reporting with their "Send error report" thing, but there are far many more types of bug that you can submit to bugzilla on most projects (Crasher, usability, suggestion, glitch, etc.). I have seen some Microsoft projects with places to send reports and suggestions, as I have other proprietary stuff, it's just that it usually much less polished if it exists at all.

Re:Many eyes at work. Sounds like a + not - (2, Insightful)

MCRocker (461060) | more than 7 years ago | (#15900262)

"This sounds like a strength of the open source model. Many eyes can include security auditors too. The weaknesses get reported and fixed."

This seems to be the call of the open source zealout, but it is not reality. 99% of the people using Open Office are users. The other 1% contain people that might have the ability to look at it, but may not have the time or patience.
Right... as compared to closed source, where 0% have the capability of auditing the source code.

Of course, things aren't as black and white as either of our initial comments make things seem. The edge is a bit blurred these days as even Microsoft does have a 'shared source' initiative to allow some interested parties to have a look and those just happen to be some of the most likely ones to actually be motivated and qualified to find and implement fixes. However, openness as the default stance does seem to make a lot more sense because even one's critics can look at the code and make an assessment.

I have been involved with many open source projects over the past couple of years and it usually ends up like this:

1) someone emails a bug to the main programming team
2) someone on the programming team (when they have time..since it is a volunteer position) will look through the code and make the changes
3) rinse and repeat
That sounds a lot like the proprietary model except that the 'when they have time' gets replaced with 'if they get budget approval'. I've worked on proprietary software and know, first hand, that development costs are usually dwarfed by customer support costs. In many projects, bugs only get fixed if there's a good business case for the fix.

Either way, resources have to be available, but they can come from outside of the core organization in the case of open source projects. If some customer thinks something is important enough for them, they can always go out and fix themselves. With a commercial program if they aren't a big enough account to make a ripple at headquarters, then it'll never get fixed unless it happens to pop up on the radar of someone more important. Sure, companies that will do this are few and far between, but at least they do have the option. Heaven help them if they decide that they like the legacy version that they've been using for years and haven't ponied up for the forced upgrade to the latest and greatest or even worse, if the company has gone bankrupt and the software is no longer available. At least with source they have a fighting chance.

One of the biggest factors in all of this is the size of the projects. Small open source projects tend to be fairly poorly supported, not as a rule, but in general. Small proprietary programs often have very little support at all and tend to be discontinued. Large, sexy, open source projects get a lot of visibility and tend to benefit from lots of participation and feedback. Large, profitable, proprietary projects tend to have enough paying customers who complain about enough bugs that there's some pressure to get them fixed. Counter examples of all four cases abound, but in general... size matters.

So, perhaps arguments about open vs. closed are really about secondary effects rather than the primary effects.

"Chalk this up as a win for the open source model... at least for large high visibility projects like Open Office."

Not really. Many proprietary apps still have people that can and do find flaws (much in the same way they find them in open source apps. Sure, the source code helps, but I would imagine it's easy for many of the security experts to test it from the outside).
Sure, SOME proprietary software makes SOME of their code available to A FEW reviewers, but as I wrote above, open by default means that even unexpected sources capable of performing audits and code contribution.

"The closed source model doesn't offer the same level of opportunity to find flaws. Even when people do find flaws in closed source products the publishers are as likely to bury the report, deny the flaw it exists or use DMCA to sue the people who disclose the problems"

so why did the people at openoffice.org pass many of the flaws off as theoretical?
I haven't followed the developers mailing list for this, so I can't really say. However, I would imagine that their motivations would be similar to those in any project, open or closed, who deny things like this.

Whether they are right or wrong, if someone submits a patch to one of these theoretical attacks, I bet that it'll get accepted and that the auditors won't be sued for revealing the flaws in the first place.

The Bad News Is... (5, Funny)

RobotRunAmok (595286) | more than 7 years ago | (#15899423)

...that OpenOffice has security flaws.

The Good News is that in the time it takes the suite to open and load an infected document the malicious hacker has been captured by the FBI, brought to trial, convicted, and a patch made available.

Re:The Bad News Is... (0)

Anonymous Coward | more than 7 years ago | (#15899745)

It actually _loads_ a document? Damn, I knew I should have checked back in the morning...

Re:The Bad News Is... (2, Informative)

miro f (944325) | more than 7 years ago | (#15899982)

actually since I found the OpenOffice.org quickstarter (hidden in the preferences under memory) I never went back. Loading times have decreased a lot (sometimes it even loads instantaneously). Sure it takes more memory while my system is idle but I've never run out before...

What makes them think MS Office isn't vulnerable? (5, Insightful)

foreverdisillusioned (763799) | more than 7 years ago | (#15899424)

I'm assuming that the vast majority of these alleged vulnerabilities came about as a result of them examining the source code. Since Microsoft Office is closed source, it may have just as many potential exploits or more. The difference is OO.o's vulnerabilities are known and thus can be guarded against or even patched by a third party. MS Office's potential exploits are unknown and thus may be released as zero-day exploits, and even when they are known we're at the mercy of MS to release a timely and effective patch.

I fail to see how this is a black mark against OpenOffice.org.

Re:What makes them think MS Office isn't vulnerabl (2, Insightful)

NihilEst (976138) | more than 7 years ago | (#15899446)

I fail to see how this is a black mark against OpenOffice.org.

I don't either. But you know that if MS (or its shills) can make it appear so, they will.

Re:What makes them think MS Office isn't vulnerabl (0)

Anonymous Coward | more than 7 years ago | (#15899590)

I'm assuming that the vast majority of these alleged vulnerabilities came about as a result of them examining the source code.
Then you assume wrong. Other than the one source-level defect, the security problems being dismissed as "theoretical" are fundamental design problems that are evident without any examination of source code. That is, OO.o is "working as designed", yet it has security problems.
The difference is OO.o's vulnerabilities are known and thus can be guarded against or even patched by a third party.
Not so. A fundamental design problem isn't fixed by a patch. I suppose you can guard against it, in the sense of "never open a document from anybody you don't trust". Of course, if that advice were offered as a solution to similar problems with a MSFT product, the person offering it would rightly be laughed out of the room.
I fail to see how this is a black mark against OpenOffice.org.
That's because you appear to lack critical thinking skills.

Re:What makes them think MS Office isn't vulnerabl (2, Insightful)

miro f (944325) | more than 7 years ago | (#15899992)

I suppose you can guard against it, in the sense of "never open a document from anybody you don't trust". Of course, if that advice were offered as a solution to similar problems with a MSFT product, the person offering it would rightly be laughed out of the room.


Funny, I've heard that advice many times and never any laughing. This is the kind of advice you follow for everything when working in windows. Don't open a document from someone you don't trust, don't go to a website you don't trust, don't open an attachment from someone you don't trust (you even have to be careful opening attachments from people you DO trust)

In fact if anyone's being laughed out of the room for this advice it's because everyone with any common sense has been following this advice since the first computer ever connected itself to the Internet.

The goal isn't to be better, it's to be good (2, Insightful)

tfried (911873) | more than 7 years ago | (#15899600)

I fail to see how this is a black mark against OpenOffice.org

I don't think that's (neccessarily) the point. Whatever MS does about their Office security flaws does not really concern me any longer. There's almost nothing that could ever make me use MS Office again. But so what. The point isn't which suite is better, the point is: OpenOffice.org still has flaws, and those should be fixed. In this context the statement "The [other flaws] are theoretical" does not make me feel good. I want even theoretical flaws to be taken serious, so they won't become real ones ever, if possible to avoid. I just hope the OO.o team does not concentrate too much on having the better PR, but also on having a good product.

Disclaimer: I don't have the slightest clue about OOo security in general, and the "theoretical" flaws in particular, so possible they may in fact be nothing to worry about. If you convince me this is the case, or I'm just mis-interpreting the quote, I'll happily shut up.

Theoretical (0)

Anonymous Coward | more than 7 years ago | (#15899426)

The statement that "the others [vulnerabilities] are theoretical" reminds me of the slogan that L0pht used to have at the top of their web site:

"That vulnerability is completely theoretical." -- Microsoft
L0pht: Making the theoretical practical since 1993.

Not that I don't greatly prefer OpenOffice and open source in general over Microsoft, but in order to remain better than Microsoft, open source can't afford to become complacent like Microsoft.

Re:Theoretical (1)

Neuropol (665537) | more than 7 years ago | (#15899471)

Agreed. And I'm sure people are working on it and looking in to it. Even on this fine Sunday evening.

Most likely right at the time when the OO.o devs were sitting down to a nice sunday dinner. Then all of a sudden one looks over at his idling machine and sees that a story about his software has been posted at slashdot "... gasp ... choke ... (insert heimlich meneuver)!"

In theory, an OO developer has just come close to near death to a near exploit found in OO!

Look what you've done! Couldn't this have waited til monday morning?

MMKay.. Interesting, but.. (4, Informative)

wwiiol_toofless (991717) | more than 7 years ago | (#15899438)

OpenOffice.org is FREE! FREE I tell you! Given the choice between a known-to-be-vulnerable $200 suite and a hypothetically-vulnerable Freeware suite, I'll take the latter. The day I discovered OO still ranks in the top 10 of my favorite computing moments of my life.

Re:MMKay.. Interesting, but.. (0)

Anonymous Coward | more than 7 years ago | (#15899602)

heh until your confidential document you had on your computer gets leaked and you get fired.

So... (0)

Anonymous Coward | more than 7 years ago | (#15899441)

On the one hand, we have an office suite (MS Office) that's presently under heavy attack by hackers, and on the other, we have one (OpenOffice) that MAY be attacked, that has already addressed one of the discovered weaknesses and will probably address the others ASAP. OpenOffice is a greater security risk? Maybe in Upside-Down Land.

What's the point (1)

alveraan (945484) | more than 7 years ago | (#15899443)

in talking about what os/office suite/browser/... has the most bugs. Just report them to the programmers so they can fix them. I mean, this is an open source project. I'm sure they care about critical security bugs...

If a company/project takes 2 years average to fix a bug, that's a problem, but hey - stop spreading blame and start spreading bug reports. That's far more productive.

Don't worry Frenchies (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#15899450)

I'm sure OO.org can be hacked to surrender itself when malware authors begin targetting it.

OO.org is vulnerable (3, Insightful)

Elektroschock (659467) | more than 7 years ago | (#15899465)

True. Guess the same applies to Abiword. But who will write an Abiword worm?

leaked MS Expense Report (5, Funny)

Gothmolly (148874) | more than 7 years ago | (#15899472)

From: sballmer@microsoft.com
To: accounting@microsoft.com

Attached find my receipts for the recent meetings I had with the French Ministry of Defense:

First class plane ticket to Paris: 2100 USD
Swank hotel in Paris: 1800 USD
Dinner for 2 at a spiffy restaurant: 800 USD
Hookers and blow for MoD officials: 5000 USD

Business Justification For Expense: I believe that we will sell ONE MILLION copies of Office to the French MoD.

--Steve

PS If you get a bill from the hotel about a broken chair, it was like that when I got the room, so I don't think we should pay it. Bill said it would be OK.

Re:leaked MS Expense Report (1)

winkydink (650484) | more than 7 years ago | (#15899610)

First class from SEA-CDG is closer to $10k.

Gentle Reminder About the Ministry (4, Insightful)

mpapet (761907) | more than 7 years ago | (#15899477)

This is the MINISTRY OF DEFENSE where draconian access control and accounting should be routine.

It's very difficult to go from that environment back to the real world where security is measured by successfully implementing long passwords in a company.

Making the inductive(?) leap that OpenOffice.org is insecure is a really long leap of faith. Are there holes? Probably.

In many ways, this is good news because the open source application is being picked over with a fine tooth comb by a large ministry.

Bring it on!

The imporant news here (4, Funny)

andreMA (643885) | more than 7 years ago | (#15899486)

... is that France has a Ministry of Defense.

Re:The imporant news here (4, Funny)

Harmonious Botch (921977) | more than 7 years ago | (#15899525)

I disagree. The important news is that they have finally overestimated a threat.

Re:The imporant news here (1)

mark_hill97 (897586) | more than 7 years ago | (#15899794)

Well someone has to oversee the production of white flags.

Re:The imporant news here (1)

baggins2001 (697667) | more than 7 years ago | (#15900110)

They have always had a Ministry of Defense. Up until now though they've only been used to wave white flag and yell "Runaway, Runaway, Runaway". The really important news here is that they have attacked something.
Twenty one years ago they attacked a Greenpeace vessel and had they're first victory at sea in 300 years. Now they're going after OpenOffice, man these guys truly have balls.
Be afraid Iran, be very afraid. In 5,000 years they may just come after you.

Insecure by association? (4, Insightful)

quantaman (517394) | more than 7 years ago | (#15899492)

My understanding is that a lot of the security problems in MS Office comes from bad design wrt things like macros which make it very hard to secure the system. If OpenOffice is working towards compatibility with MS Office they may be having to deal with the same types of security issues in trying to secure bad macros and such. Thus it makes sense that OpenOffice would be just as, or even more, insecure than OpenOffice, not only do they have many of the same classes of exploits, but they also have greater pressure to rush these features out (for compatibility reasons) and up till now haven't had the motivation of attackers actively exploiting them to force them to spend the necessary time on security.

OPDs and Latex (1)

MarkWatson (189759) | more than 7 years ago | (#15899497)

Well, be careful of Other People's Documents (OPDs)!

I always turn off any live macro support in OpenOffice.org and Microsoft Word, and hope that is good enough security. I also tend to open Word .doc files I receive from other people in OpenOffice.org.

A little off topic, but I have been blogging about this lately: whether I am writing up short project documents or working on a for-fun book project (Ruby AI Programming), I find that just using Latex is much more productive for me. One reason is just seeing raw text (with a little markup) seems less distracting. Also, I find Latex easier to automate for stuff like running external commands and including the output, auto-insert of external files using custom listing styles for programs and for program output, etc. This is great when writing about programming - tweak the code examples, and the next time you run Latex on the main document, the new code versions and new output are included. Sweet. The "overhead" for writing is reduced, giving me more time to post on Slashdot :-)

Re:OPDs and Latex (1)

SpiritGod21 (884402) | more than 7 years ago | (#15899769)

Yeah, I discovered Latex just a few months ago and I've been loving it. Looking forward to the semester starting up so I have an excuse to use it a lot and some motivation for writing a template for SBL format :-P

Re:OPDs and Latex (3, Informative)

iabervon (1971) | more than 7 years ago | (#15899823)

The main problem with LaTeX is that, if you use it for much of anything, you'll never have the patience to deal with a word processor again, and will therefore be unable to work with businesspeople on documents. And you'll be forever annoyed by the minor formatting flaws in everybody else's documents, like when paragraphs spanning page breaks have a single line on one of the pages.

Re:OPDs and Latex (1)

MarkWatson (189759) | more than 7 years ago | (#15900055)

Too late - I am already spoiled by Latex.

I tried to get the publisher of my last book to accept Latex, but they said no.

Re:OPDs and Latex (1)

whitehatlurker (867714) | more than 7 years ago | (#15900000)

This is interesting in that the slide show referenced by TFA was produced with LaTeX and dvips - on the 4 of June, 2006. News for nerds is a bit behind ...

CVE-2006-2198 (4, Informative)

tetromino (807969) | more than 7 years ago | (#15899507)

I think that the flaw they are talking about is CVE-2006-2198 [mitre.org] , which was fixed in OOo-2.0.3. It was pretty nasty, executes arbitray macro without alerting or prompting the user. However, given that the mistake was already found and fixed, what else does the French Ministry of Defence have to complain about?

Re:CVE-2006-2198 (4, Informative)

truthsearch (249536) | more than 7 years ago | (#15899674)

I submitted this story to /. a month ago and it was rejected. Back then the MoD stated they were already working with the OpenOffice.org developers to have the appropriate changes made. Apparently it's been completed within the last one or two months. This is old news (by internet standards).

Microsoft or Sun? (1)

Rudolf (43885) | more than 7 years ago | (#15899527)

From the summary: ...vulnerabilities with open source office suite OpenOffice.org may rival those of Microsoft's version

Microsoft has a version of OpenOffice? Isn't OpenOffice's closed version StarOffice, which is owned by Sun, not MS?

Re:Microsoft or Sun? (1)

Jessta (666101) | more than 7 years ago | (#15899839)

You seem confused and seem to be having trouble reading. In no way does that sentance convey that Microsoft has a version of OpenOffice.org But it does state that microsoft has an open source office suite. Which I've never seen.

The actual problem is DicOOo (3, Informative)

Animats (122034) | more than 7 years ago | (#15899538)

Here's the attack:

Installation d'une fonction offensive C dans la macro DicOOo.
La fonction C est exécutée à l'installation de DicOOo.

"DicOOo" is an installer for dictionaries into OpenOffice. Unfortunately, it seems to have too much power, and can be replaced or induced to install other things. This is an add-on to OpenOffice, and apparently an unsafe one.

Re:The actual problem is DicOOo (1)

g4sy (694060) | more than 7 years ago | (#15899966)

That was the problem that was fixed. The other problems have been examined and dealt with using certificates etc.

Nothing to see here. Move along.

Maybe we need to take a step back... (5, Interesting)

Harker (96598) | more than 7 years ago | (#15899544)

a decade or more, at least.

How about we stop writing word processors and spreadsheets that are capable of running code (other than its own)?

I remember back when I was big on a certain usenet news group, we had a discussion about an email virus. The claim was, when you opened the email (don't recall the name off hand), it would do all sorts of nasty things to your computer, and possibly to your girlfriend/wife/sister/etc. The entire thing was a hoax that preyed on ignorant computer users, and urged them to spread the word.

My argument at the time was basically that an email client could not, or should not execute the text within the email itself, and any client that did, shouldn't be used.

Now I use Outlook on a daily basis, and guess what?

So, let's take a step back to simpler, less efficient applications. Get rid of what causes the vulnerabilities in the first place.

Now where did this box come from?

H.

Re:Maybe we need to take a step back... (1)

whitehatlurker (867714) | more than 7 years ago | (#15899971)

The claim was, when you opened the email (don't recall the name off hand), it would do all sorts of nasty things to your computer,

That would be the Good Times [ciac.org] virus. (Warning: don't click on that ... ooooh too late.)

Re:Maybe we need to take a step back... (1)

Harker (96598) | more than 7 years ago | (#15900281)

Yup, that's the one.

H.

Re:Maybe we need to take a step back... (0)

Anonymous Coward | more than 7 years ago | (#15900185)

Tru dat, yo.

Same go fo browsers. Noscript fo life, dogg.

Alternatives (3, Interesting)

Doc Ruby (173196) | more than 7 years ago | (#15899546)

How secure is MS software that responds to vulnerability discoveries by ignoring them or lying about them, fixing them after months or even several versions (years) later? Because users have to rely on MS to fix them.

Compared to OO.o, which anyone can fix, even the French government itself, but which does fix bugs quickly.

The only problem with open office is (3, Funny)

popsicle67 (929681) | more than 7 years ago | (#15899553)

It doesn't have a sales staff that can kiss a ministers ass.

Damn Frogs! (-1, Troll)

Jah-Wren Ryel (80510) | more than 7 years ago | (#15899592)

Jeeezus Keerist! There those frenchies go again with their obstructionist, anti-freedom policies. I say we stand up to those cowards and rename Open Office to Libre Office! That'll show'em what Freedom is all about.

Re:Damn Frogs! (0)

Anonymous Coward | more than 7 years ago | (#15899852)

Damn, mods have no sense of humor. Libre Fries? Come on, its hilarious.

Which Open Office? (0)

Anonymous Coward | more than 7 years ago | (#15899665)

Again we have this inconsistent naming structure, where two different programs have the same name. See it all the time, like "firefox has this new bug" etc when a lot of the times it is only really a problem when it is a microsoft windows brand firefox. A windows product is a proxy MS product, whether someone else besides MS develops it or not or what they charge for it or what license it is developed under. Now the same with open office. I REALLY wish these projects would pick entirely different names for their software to distinguish an MS proxy product or not. Please distinguish between your "helping out poor old penniless Microsoft" efforts in developing software for them, and "the other". It's time, way past time, to be a little more accurate here. And if you can't come up with different names, throw it out to the community of users, get some suggestions, then vote on it.

What a productive attitude (1, Flamebait)

ElektroHolunder (514550) | more than 7 years ago | (#15899742)

Great. A goverment agency sees enough potential in OO.org to spend a probably not insignificant amount of time and money on analysing the code, and what is the reaction around here? Finger pointing. "But MS Office is at least just as bad, yadda yadda yadda".

How constructive. When you were a child and you came back from school with your less-than-stellar marks, did you point at your retarded little cousin and yelled "but Bobs marks are even worse"?

Either refute their points if they are wrong, or suck it up like a man, use the money already spent for the betterment of the project and get your shit together and clean up the mess.

And yes, I know that the people whining around here are probably not the same spending their time coding on OO. Still, this attitude pisses me off.

Re:What a productive attitude (0)

Anonymous Coward | more than 7 years ago | (#15899767)

How constructive. When you were a child and you came back from school with your less-than-stellar marks, did you point at your retarded little cousin and yelled "but Bobs marks are even worse"?

Of course. It's a well known strategy to deflect criticism. Works even in adulthood.

Besides, it's not like Bob is gonna get into too much trouble because of bad grades. He's retarded, for pete's sake!

Re:What a productive attitude (1)

YetAnotherBob (988800) | more than 7 years ago | (#15900345)

You may have missed the above comments, the French were working with the OOo crew on this. It's already been fixed.

feltcher (-1, Troll)

Anonymous Coward | more than 7 years ago | (#15899749)

feltchers

Consider the source. (0, Troll)

kahrytan (913147) | more than 7 years ago | (#15899790)

Consider the Source -- The French. Need I say more?

8 steps to improve oo.org security (1)

paj1234 (234750) | more than 7 years ago | (#15899795)

1) Click Tools menu.
2) Click Options.
3) On the left side, click the Security category.
4) Under "OpenOffice.org Basic Script", set "Run macro" to "Never".
5) Under "Hyperlinks", set "Open hyperlinks" to "Never".
6) Under "Java", untick "Enable".
7) Under "Enable", untick "Plug-ins" and untick "Applets".
8) Click OK.

OpenOffice.org will now be configured for best security. Some functionality will not be available. Depending upon your system, you may need to repeat these steps for each user account.

Apples and Oranges (0)

Anonymous Coward | more than 7 years ago | (#15900050)

It's a bit like comparing apples and oranges
unless your running openoffice as root it doesn't really matter anyway
as an exploit would only be able to access files that the user has access to due to the way Security works within the Linux kernel
and typically the user won't have access to any system files by default that would allow spyware etc to be installed
At most a hacker may be able to access files in the home drive but that's about it

windows / MS Office on the other hand everything runs at the same level
and any Security within the Windows OS / Kernel is easy to circumvent

Office's APIs (1)

peterfa (941523) | more than 7 years ago | (#15900057)

My sister's fiance is a total Microsoft zealot. He loves that Windows. He told me about some exciting things about Microsoft Office 2007 or something like that. He tells me about these APIs that you can do all this crazy stuff with. In my mind I wonder about why an office suite is supposed all that stuff... thinking if it's an office suite really should do the office functions, and not anything else.

Those APIs maybe one reason why Office is insecure.

OO.o wouldn't try this. They would stick to the UNIX philosophy that each utility should do only one thing, but do it well.

Lest we forget... (0)

Anonymous Coward | more than 7 years ago | (#15900218)

The French have every right to be paranoid about invaders.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...