OpenOffice.org has hit back at claims that the alternative office applications suite is riddled with security holes. Researchers at the French Ministry of Defense say that OpenOffice is subject to security weaknesses that make it at least as susceptible to computer viruses as the commercial, more widely used, Microsoft Office.
Openoffice gets features which people have been asking for and now they say it’s got security flaws?. Give me a break,this is just junk talk.
So how can OO.o get features MSoffice have without virus threats, see where i’m going here?. Any dumb idiot can say .doc format is a security risk from virus and because OO.o supports that format so is it, I mean WTF!
Woh now, slow down there. Most of the worst security flaws haven’t been design errors but implementation errors, and that’s why they can be fixed without major disruption, usually. However, there may be design errors making it more difficult to keep things secure.
Also, .doc has historically been a binary format because it’s quick and easy to save and restore data this way: Meaning there’s not a lot of checking going on. OOo is written to work on multiple platforms and it’s in a different language: That means they’re processing those binary formats which means they should be validating them (not that Microsoft isn’t validating them these days).
But I still hold to the opinion that there’s only one application on MS Office where security is a prime concern: Outlook. If you’re opening Word documents from completely untrusted sources then you deserve a virus .
And if you’re publishing Word documents no one should be reading what you’ve published either…
“And if you’re publishing Word documents no one should be reading what you’ve published either…”
Yep, that’s right. You wouldn’t want your customers to be able to communicate with you now, that might be good for business
Yeah, I know..a little smart comment there, but unfortunately true. Most use MS Office since it is the accepted business standard, like it or not.
As for security flaws, MS Outlook is very secure, it is the users that insist on clicking “OK” to allow things to run that are the security problem, not the application. Outlook does not even allow attachments by default anymore without registry hacks, and it most certainly does not automatically run any scripts. Do not confuse Outlook and Outlook express…2 different products.
It’s an editing format, not a publishing format… It’s just not made for publishing, it’s far too feature rich.
Use it internally all you want, but you shouldn’t expect people who don’t trust you to open your .doc.
As of Office 12 Microsoft will be providing them a fully working export format: PDF. Before they could have used rich text, or html, or some other format (list postscript).
“It’s an editing format, not a publishing format… It’s just not made for publishing, it’s far too feature rich.
Use it internally all you want, but you shouldn’t expect people who don’t trust you to open your .doc.
As of Office 12 Microsoft will be providing them a fully working export format: PDF. Before they could have used rich text, or html, or some other format (list postscript).”
In actuality I totally agree. The problem is users do not understand all this. Is the same reason HR Departments request resumes in “Microsoft DOC format”. Send one in PDF or any other and the resume will get trashed and never read. Not as bad as it used to be, but it has hurt me in my job hunts before.
I agree. When sending documents to clients, I always prefer to use PDF for several reasons:
1. Read-only format. Don’t want clients changing terms of contract, invoice numbers etc.
2. Highly accessible. Works on virtually any system. Readers are free and highly pervasive.
3. Size. PDFs are generally smaller than .Doc
4. No virii worries!!
After all, PDF stands for Portable Document Format!
Yep, that’s right. You wouldn’t want your customers to be able to communicate with you now, that might be good for business
The only time a word processing document should be emailed is for collaboration. If you’re sending something to a customer to just read, you should be sending in a final output format. That’s why I prefer to send PDF’s to my customers.
Not only that, but PDF is available for all platforms, not just MS platforms.
“The only time a word processing document should be emailed is for collaboration. If you’re sending something to a customer to just read, you should be sending in a final output format. That’s why I prefer to send PDF’s to my customers.”
I agree. My point is that management at most companies don’t agree, and MS Word Documents ARE the final output format. If that was not the case there would not be big discussions on compatibility of file formats, and it would be a non-issue.
As for security flaws, MS Outlook is very secure, it is the users that insist on clicking “OK” to allow things to run that are the security problem, not the application.
I beg to differ.
Security in an application is not only about how hard it is to break the code. It is also about how the user interacts with the application, or rather is allowed to interact with it.
To be secure, an application not only need to have secure code, it need also be designed in a way that it doesnt encourage unsafe behavior among its usrs.
If you can click OK to initate dangerous actions some users will do it, either because of lack of knowledge or because of convienience or lazyness in combination with “This will not happen to me” think.
“To be secure, an application not only need to have secure code, it need also be designed in a way that it doesnt encourage unsafe behavior among its usrs.”
I agree, but then every email client does that these days. They ask the user what they want to do with the file. So by your definition then almost all email clients are insecure. The only ones I know of that do not are the ones that no longer have a place in the business world, such as Pine and the like. All collaborative ones, which as required by Business, such as Outlook, Evolution, Lotus Notes, etc allow this type of activity. User training is what will increase security, as trying to make idiot proof applications results in smarter idiots that figure out how to break it.
“To be secure, an application not only need to have secure code, it need also be designed in a way that it doesnt encourage unsafe behavior among its usrs.”
I agree, but then every email client does that these days
No, that’s completely false.
They ask the user what they want to do with the file
That’s just not true at all. I only need to take Evolution to see you’re wrong. Get a clue !
Evolution never asks you what to do with a file, it has a default action when you click on it, and allows choice of actions through a drop menu box.
So by your definition then almost all email clients are insecure
No, that’s just by your clueless opinion. Most email clients are not so insecure, but Windows is a pretty badly insecure OS, that allows scripts to execute.
Evolution never allowed any script to execute by default.
What you say is just ignorant FUD to try to put Outlook in a better light. Yes Outlook, not even Outlook Express.
The only ones I know of that do not are the ones that no longer have a place in the business world, such as Pine and the like. All collaborative ones, which as required by Business, such as Outlook, Evolution, Lotus Notes, etc allow this type of activity
No, you only know of Pine and Outlook, and extrapolated to say they all are the same.
User training is what will increase security, as trying to make idiot proof applications results in smarter idiots that figure out how to break it
Yes user training will increase security, but that’s on the Windows platform you hear people say FOSS is too complicated because it requires some training.
So these people are happy to be ignorant, take it like a good thing, and all this comes from MS marketing making idiots believe Windows is easy.
I’m not saying people are idiots, that’s actually Windows people (shills/zealots) that always use this term to describe Windows users, as soon as there is a problem in a MS application. They will never admit Windows or a Windows app is insecure or crap, no, that’s always the user who is an idiot.
Sorry to tell you that on Linux, the very same user without training never catch any virus or script in his mail, using Evolution. And no, I never call Linux or FOSS users idiots.
“That’s just not true at all. I only need to take Evolution to see you’re wrong. Get a clue !
Evolution never asks you what to do with a file, it has a default action when you click on it, and allows choice of actions through a drop menu box.”
Just because it is not an “OK” button doesn;t make it any different. I do have a clue thanks, and have used Evolution, quite extensively for a time. Before you flame get an idea. Having a drop down if choices is the same thing, whether you want to admit it or not.
Actually the email clients I use regularaly are Outlook, Evolution, Kmail, Thunderbird, Mozilla, and Pine, as I support all of these. Outlook does not allow scripts to execute without intervention, if it does you have tweaked and broken it, as there are registry hacks that will allow that. You are correct that Linux users do not catch virus from clicking something, however they do run scripts. Just because it has not been done, does not mean it can not. I have written a script that when run will hose a linux machine, all the person has to do is enter the root password. Guess what, people will do it. I know windows and some of it’s applications have all kinds of faults, which is the reason I have all the windows machines locked down. I don’t even let people install thier own software, I have to do it. Luckily the company is small enough.
And thanks for basically calling me an idiot, since you of course don’t call Linux users idiots…although you just did.
Also. Users will get used to clicking ‘OK’ for every document they open at work. Do you really think most users actually read those warning dialogs? I doubt it very much.
This is the same old MS way of increasing *percieved* security by making the user jump through more hoops. Trust me, those ‘security’ dialogs will be invisible to 99% of users in no time.
They shouldn’t publish things in these document formats: It’s because the documents allow macro’s which make them difficult to keep secure, regardless of who is shipping the tool.
Did anybody read the original article?
http://arstechnica.com/news.ars/post/20060718-7288.html
“The classified report follows a one-year study by the Ministry comparing the popular open-source suite to its commercial competitor. During a demonstration for other parts of the French government on July 5, lab director Lt. Col. Eric Filiol showed off some malevolent code the Ministry had developed in order to discover the weak points of both office suites. The researchers found that OpenOffice.org was more susceptible to certain attacks, including those made via macros.
In some instances, malevolent macros were considered to be secure by the open-source package, and as a result, users were not informed when they were executed. This was in contrast to Office, which barrages users with warnings each time a document with macros is opened.
Lt. Col. Filiol notes that the problems are conceptual, rather than due to sloppy coding. “We did not exploit security holes,” he said. Filiol thinks that OpenOffice.org’s rush to achieve a level of features and functionality comparable to that of Microsoft Office has led it to neglect security issues.”
Office 2003 makes it very hard to run macros.
OpenOffice makes it easier.
It has nothing to do with the document format.
I think the majority of security holes these days start out with good intentions as features that are later exploited.
If we’re talking about unknowing macro execution because the OO.o product doesn’t prompt more exhaustively for confirmation, then that’s a problem and needs to be addressed.
Aside from that, we have to considor the market share of these products. It’s quite possible that the OO.o suite has numerous design issues that open up gaping security holes, but until the share of the market exists to warrant concern about mass “infection” it really isn’t that big of an impact, at this stage.
I have to agree with the comment above though. It’d be my experience that the majority of infections and hacks on computers is more due to ignorance of users who find it acceptable to just click on whatever they please without actually being smart about it.
The “i didn’t know” time has well and truely passed. There’s no excuse for opening every damn attachment or script. It’s been made well and truely obvious it’s a huge risk.
I think it’s time people started to be smart about computing and drop the ignorant, “shucks i’m just hopeless with computers” line.
Popularity come faster than fixes: They should worry now.
From an engineering point of view I’d concede that they should be investigating the claims in depth. They seem to be at least opening communication lines up with the authors.
However, I really don’t think that OO.o is going to rapidly become hugely popular, even over the next two years.
Also keep in mind the product will evolve and wont be tomorrow what it is today.
for closed source software. “Hey, there stuff is just as bad as ours but we make you pay for ours, isn’t that better?”
Give me a break.
No, it isn’t. It is a study conducted by a government body to impartially compare threat levels in the two software suites. It is not an advert.
I’d add that the words you’re putting into the closed-source vendor’s mouth don’t convey the study’s findings accurately. How about: “their stuff is *worse* than ours…”? Now that could be called a selling-point.
http://www.adobe.com/support/techdocs/321644.html
“Products: Adobe Reader 5.1, 6.0-6.0.3, 7.0-7.0.2, Adobe Acrobat 5.0-5.0.5, 6.0-6.0.3, 7.0-7.0.2
Platform: Windows, Mac OS, Linux, Solaris
Vulnerability Identifier: CVE-2005-2470
Overview: Adobe has discovered a buffer overflow in Adobe Acrobat and Adobe Reader. This issue has been addressed and a product update is available to proactively mitigate potential malicious activity. Adobe always recommends that users keep their systems up to date and install the latest update of these applications.
Effect: If the vulnerability were successfully exploited, the application could crash with an increased risk of arbitrary code execution.”
And there are a few others.