Tech Watch | InfoWorld Staff | InfoWorld | Slashdot talkback: OpenOffice security | August 15, 2006 09:26 AM

MORE ENTRIES

Slashdot talkback: OpenOffice security

August 15, 2006 | Comments: (0)

Slashdot talkback: OpenOffice security

We reported last Friday that researchers at the French Ministry of Defense said vulnerabilities with open source office suite OpenOffice.org may rival those of Microsoft's version.

The Ministry said users of the OpenOffice.org software may be at even greater risk from computer viruses. "The general security of OpenOffice is insufficient," the researchers wrote in a paper entitled In-depth analysis of the viral threats with OpenOffice.org documents. "This suite is up to now still vulnerable to many potential malware attacks," they wrote.

An ensuing Slashdot discussion on the topic is worth a look, and here are some highlights of the 181 comments (and counting).

Start with the English translation:

[Red Alastor writes,] I speak French, let me translate.
1. "Official" MS Office competitor.
2. Share of the market rising.
3. Cheap but...
4. What about the real security of OpenOffice ?
5. Viral analysis by proof of concept
6. Numerous integrated programming languages : script shell, VBScript, Python, Perl, Asp, Java.
7. Rich macro developing.
8. Numerous existing hijackable execution points
9. No protection mecanism for macros
10. zip format is makes virus penetration easy.
11. Macro security is easy to bypass. "Trusted" folders are defined. Any macro placed in those folders is by definition, trusted.
12. Document signature do not really consider macros. Bypassing possibilities
13. Macros can be linked to events or services.
14. Other mechanisms : macro chaining, hypertext links, inter-application execution, OLE
15. Many mechanisms are usable for an infection
16. All known viral techniques known for Microsoft Office can be translated under OpenOffice.org
17. Every kind of infection is doable. (Infection and auto-reproduction)
18. Globaly, OpenOffice's suite is a bigger infection risk than Microsoft's suite.
19. No real security concepts.
20. Many functional viral roots were made as proof-of-concept
21. Infection successful no matter the security setting of the user.
22. Some senarii can act without alerting the user in any way (scenarii is a stupid plural in French too but they used it in the original)

Foreverdisillusioned writes:

I'm assuming that the vast majority of these alleged vulnerabilities came about as a result of them examining the source code. Since Microsoft Office is closed source, it may have just as many potential exploits or more. The difference is OO.o's vulnerabilities are known and thus can be guarded against or even patched by a third party. MS Office's potential exploits are unknown and thus may be released as zero-day exploits, and even when they are known we're at the mercy of MS to release a timely and effective patch.

I fail to see how this is a black mark against OpenOffice.org.

Alveraan writes:

in talking about what os/office suite/browser/... has the most bugs. Just report them to the programmers so they can fix them. I mean, this is an open source project. I'm sure they care about critical security bugs...

If a company/project takes 2 years average to fix a bug, that's a problem, but hey - stop spreading blame and start spreading bug reports. That's far more productive.