Posted on 08/13/2006 10:01:47 PM PDT by zeugma
With Microsoft Corp.'s Office suite now being targeted by hackers, researchers at the French Ministry of Defense say users of the OpenOffice.org software may be at even greater risk from computer viruses.
"The general security of OpenOffice is insufficient," the researchers wrote in a paper entitled "In-depth analysis of the viral threats with OpenOffice.org documents."
"This suite is up to now still vulnerable to many potential malware attacks," they wrote.
The paper describes four proof-of-concept viruses that illustrate how maliciously encoded macros and templates could be created to compromise systems running the open-source software. "The viral hazard attached to OpenOffice.org is at least as high as that for the Microsoft Office suite, and even higher when considering some ... aspects," they wrote.
The report was written by researchers at the French Ministry of Defense's Signal Corps and is set to be published in the Journal in Computer Virology, a Paris-based academic journal for computer scientists.
A number of the problems described in the report have to do with the basic design of the software. For example, OpenOffice.org does not perform adequate security checks on the software it runs, the researcher said. And because of the extreme flexibility of the free office suite, there are many ways for writers to create malicious macros, the researchers found.
The OpenOffice.org team has already fixed a software bug discovered by the French researchers, and the two groups are in discussions about how to improve the overall security of the software, said Louis Suarez-Potts, an OpenOffice.org community manager.
"The one real flaw in the programming logic has been fixed," Suarez-Potts said. "The others are theoretical."
OpenOffice.org has patched a number of vulnerabilities in the past few weeks, and Suarez-Potts says users should upgrade to the latest version.
These latest bugs show that the open-source project has some security work ahead of it, said Russ Cooper, a senior information security analyst at Cybertrust. "If these types of vulnerabilities had been discovered in Microsoft Office, it would be front-page news," he said. "Whoever did the security for OpenOffice has totally ignored what Microsoft has gone through with the security of their own Office documents."
Attackers have exploited a number of bugs in Microsoft's Office applications of late, sending maliciously encoded Word, Excel and PowerPoint documents via e-mail to a small number of victims in extremely targeted attacks. On Tuesday, Microsoft patched the latest such flaws, which related to PowerPoint.
Signal Corps Researcher Eric Filiol has also discussed some of the team's OpenOffice.org findings during a conference presentation. Filiol declined to be interviewed for this story.
(Peter Sayer in Paris contributed to this report.)
From the article:
"Whoever did the security for OpenOffice has totally ignored what Microsoft has gone through with the security of their own Office documents."
One would hope that the folks working OpenOffice would have preemptively closed some of the paths that have been previously exploited in Microsoft's office suite.
I've not used macros within OpenOffice, so I'm not sure of how they are executed. In a Linux environment you should be reasonably safe from any macros doing actual damage to your system, but I'm quite sure it could hose your local data and settings badly if it wanted to. One way around this would be to not have a directory defined for "trusted" scripts/macros. This is the default setting apparently. You have to define one yourself, so that should limit the effectiveness of malicious code.
These types of issues need to be watched, though much of what was discussed seemed to be largely theoretical.
ping
No billions to repair faulty software?
Considering the two products are really not objectively comparable, this article strikes me as being mostly disingenuous.
Probably not, though according to the article, the actual vulnerability found was fixed, so perhaps you don't need billions to repair faulty software.
Some companies spend billlions and develop nothing but.
Why do you not consider them to be 'objectively comparable'?
Interesting.
Thanks for posting this.
Response To The French Ministry of Defence Report Leak
2006-07-20
There has been comment in the media about a report on a French language website: "Le ministère de la Défense met OpenOffice à l'index"
The ZDNet article claims to describe the proceedings of a confidential meeting within the French public administration. It is not appropriate for the OpenOffice.org community to comment on a leak from a private meeting. However, one of the people mentioned in the article, Eric Filiol, has posted two replies to the online article clarifying the purpose of the research and correcting some of the incorrect conclusions in the original article.
The OpenOffice.org office suite is being widely adopted within the French public administration, and the OpenOffice.org community has been working closely with the departments involved. OpenOffice.org is pleased that its source code is being scrutinised by the most important and respected department of security in France.
If security vulnerabilities are suspected, there is a well defined procedure within the IT industry for reporting, analysing, and resolving any issues, which aims to minimise any public announcement (and the resulting creation of exploits) until fixes are available.
The OpenOffice.org community confirms it regards security as of the highest importance and will react immediately to any security issues reported by the French public adminstration or other competent bodies or individuals.
-The OpenOffice.org Team
Leave it to the French...
:)
Thanks for the update from the OO team.
Even though they basically do the same thing, the difference in their backgrounds, price and resources render them incomparable.
Last time I checked, Sun Microsystems was a multi-billion dollar corporation. They are the driving force behind OpenOffice.
Personally, I really like Abiword for open source word processing. I have OpenOffice and Microsoft Office on my work machines, but I use Abiword -- fast, small and simple.
Don't make files executable.
Not worth it and a dumb idea.
It's disappointing software on many levels, IMHO. Clunky and labored and inelegant. And now, insecure.
Unfortunately, open-source software often seems designed by committee.
So in the choice between OpenOffice and MS Office, it seems we're talking about which brand of Swiss cheese we want to buy.
It really depends on the individual project, just as in proprietary software.
Could be. Then again, it would probably be worth it to look at which one has demonstratable and exploited holes.
At the moment, it is possible that OO is of the Swiss variety. We know MS-Office is.
Feature-wise, they both do pretty much the same thing IMO, though I'm not one who uses one of those rather esoteric features of MS-Word that was bolted on because it was requested by exactly one customer.
Yes, they are the driving force, but not the developers. OpenOffice is an Open Source project.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.