|
|
User Controls
|
New User
|
Login
|
Edit/View My Profile
|
|
|
|
ActiveMac
|
Articles
|
Forums
|
Links
|
News
|
News Search
|
Reviews
|
|
|
|
News Centers
|
Windows/Microsoft
|
DVD
|
ActiveHardware
|
Xbox
|
MaINTosh
|
News Search
|
|
|
|
ANet Chats
|
The Lobby
|
Special Events Room
|
Developer's Lounge
|
XBox Chat
|
|
|
|
FAQ's
|
Windows 98/98 SE
|
Windows 2000
|
Windows Me
|
Windows "Whistler" XP
|
Windows CE
|
Internet Explorer 6
|
Internet Explorer 5
|
Xbox
|
DirectX
|
DVD's
|
|
|
|
TopTechTips
|
Registry Tips
|
Windows 95/98
|
Windows 2000
|
Internet Explorer 4
|
Internet Explorer 5
|
Windows NT Tips
|
Program Tips
|
Easter Eggs
|
Hardware
|
DVD
|
|
|
|
Latest Reviews
|
Applications
|
Microsoft Windows XP Professional
|
Norton SystemWorks 2002
|
|
Hardware
|
Intel Personal Audio Player
3000
|
Microsoft Wireless IntelliMouse
Explorer
|
|
|
|
Site News/Info
|
About This Site
|
Affiliates
|
ANet Forums
|
Contact Us
|
Default Home Page
|
Link To Us
|
Links
|
Member Pages
|
Site Search
|
Awards
|
|
|
|
Credits
©1997/2004, Active Network. All
Rights Reserved.
Layout & Design by
Designer Dream. Content
written by the Active Network team. Please click
here for full terms of
use and restrictions or read our
Privacy Statement.
|
|
|
|
|
|
|
|
Time:
09:26 EST/14:26 GMT | News Source:
Ars Technica |
Posted By: John Quigley |
OpenOffice.org has been increasing in both popularity and visibility over the past several months. Version 2.0 has added a number of new features to bring it closer to feature parity with Microsoft Office, and it also offers full support for the Open Document format. However, a report just released by the French Ministry of Defense says that it still falls short of Microsoft's office suite in one important area: security.
The classified report follows a one-year study by the Ministry comparing the popular open-source suite to its commercial competitor. During a demonstration for other parts of the French government on July 5, lab director Lt. Col. Eric Filiol showed some off some malevolent code the Ministry had developed in order to discover the weak points of both office suites. The researchers found that OpenOffice.org was more susceptible to certain attacks, including those made via macros.
|
|
#1 By
8556 (12.217.111.92)
at
7/19/2006 9:36:07 AM
|
Is being "more susceptible to certain attacks" a meaningful concern? Are the attacks rare or common? Are the MS Office file formats the primary source of weakness or are all the file types equally vulnerable? Apparently the problems aren't deeply serious, as the findings are being presented to OpenOffice.org, where they will be addressed.
|
#2 By
15406 (216.191.227.68)
at
7/19/2006 11:22:52 AM
|
This can only help both suites. However, I'm not sure how much weight to put into a security assessment from the French Ministry of Defense. And no, this isn't a typical US-style French-bashing, just that I don't trust ANY government to do anything computer-related with any competence.
|
#3 By
32132 (64.180.219.241)
at
7/19/2006 11:27:22 AM
|
http://search.securityfocus.com/swsearch?query=openoffice&metaname=alldoc&sort=swishlastmodified&sbm=%2F&start=30
An example of one:
http://www.securityfocus.com/archive/1/439861
"It was possible to embed Basic macros in documents in a way that
OpenOffice.org would not ask for confirmation about executing them. By
tricking a user into opening a malicious document, this could be
exploited to run arbitrary Basic code (including local file access and
modification) with the user's privileges. (CVE-2006-2198)
A flaw was discovered in the Java sandbox which allowed Java applets
to break out of the sandbox and execute code without restrictions. By
tricking a user into opening a malicious document, this could be
exploited to run arbitrary code with the user's privileges. This
update disables Java applets for OpenOffice.org, since it is not
generally possible to guarantee the sandbox restrictions.
(CVE-2006-2199)
A buffer overflow has been found in the XML parser. By tricking a user
into opening a specially crafted XML file with OpenOffice.org, this
could be exploited to execute arbitrary code with the user's
privileges. (CVE-2006-3117)"
Aribtrary code execution is bad.
Openoffice is following the same trail as Firefox on security. Exploits. Lots of them
|
#4 By
7754 (216.160.8.41)
at
7/19/2006 11:33:22 AM
|
I suspect Park/kk/kkker will repeat this ad nauseam in posts to come.... ;)
At any rate, I would think the main concern here is "specially-crafted" files--whether that includes a malicious macro, exploits a buffer overflow, etc. If OpenOffice.org is more susceptible to those attacks than Office, then yes, this is noteworthy. Interestingly, OpenOffice.org's relatively small marketshare would hurt it in this case, because those are the types of things that are closely watched with Office--and therefore nearly immediately protected via anti-virus vendors' updates. Now that the very same file format might carry a virus that would not affect one widely-used program and infect a machine through a much less pervasive alternative, it is not unlikely to think that the AV protection may be a bit spotty.
|
#5 By
7754 (216.160.8.41)
at
7/19/2006 11:34:18 AM
|
Hahaha... too late!!
|
#6 By
8556 (12.217.111.92)
at
7/19/2006 12:13:08 PM
|
S. Parker: I agree with many of your comments. However, OpenOffice is a great product for people on a tight budget. 75% of my customers are general consumers that use OpenOffice to save money and because it works well. The current bugs will be fixed.
|
#7 By
32132 (142.32.208.232)
at
7/19/2006 12:54:55 PM
|
"The current bugs will be fixed"
And then there will be new bugs (as the Firefox experience shows).
|
#8 By
15406 (216.191.227.68)
at
7/19/2006 2:11:47 PM
|
#7: Oh is that right? What about this month's own-your-box Powerpoint bug, last month's multiple Excel bugs, the Word bugs the month before... Looks to me like MS has a few problems of their own, Mr. Pot.
|
#9 By
32132 (142.32.208.232)
at
7/19/2006 2:26:50 PM
|
Once upon a time coffee girl, the OSS fanatics created the myth that Microsoft software was insecure and open source software is secure. Both Firefox and OpenOffice have proven that the 2nd part of the myth is a big lie.
I think the first part of the myth is arguable. Many of Microsofts products now focus on security. IIS 6 and XP SP2 are examples. Office 2003 predates Microsoft focus on security.
I'm saddened that OSS has failed to learn anything from Microsoft experience. In fact, they seem to be so focussed in copying what Microsoft did, that they've copied the security problems in IE6 and Office as well.
|
#10 By
15406 (216.191.227.68)
at
7/19/2006 3:04:41 PM
|
#9: "the OSS fanatics created the myth that Microsoft software was insecure and open source software is secure"
As usual, no. You created it as a strawman argument and you keep repeating it to knock it down to make some bogus point. It is generally accepted that open source software equivalents are more secure than Microsoft software. That does not mean zero bugs. It doesn't matter if Firefox has a billion bugs, so long as IE has a billion + 1 to make my statement correct. Only a fool thinks open source has zero bugs and only a fool keeps repeating it.
And I never thought I'd see the day when Parkkker admits that IE and Office are stuffed with security problems.
|
#11 By
3653 (68.52.143.149)
at
7/19/2006 3:37:01 PM
|
latch - "I don't trust ANY government to do anything computer-related with any competence. "
i couldnt let this rare moment of our agreement pass by unnoticed. of course, i know you love what the EU is doing to msft. so, your heart isn't in your statement.
and hey, i'm going on a low-carb diet. can you use splenda in my coffee for the next few weeks? thanks boy.
|
#12 By
15406 (216.191.227.68)
at
7/19/2006 3:44:15 PM
|
#11: I wouldn't say I love what they're doing to MS. However, I don't like it when corporations think that they are above the law, whether you agree with the law or not. It certainly would be nice if we all could just ignore laws we don't like, but that doesn't work in the real world (or at least it shouldn't.) MS should have been smacked down by the DoJ until political interference made the penalty moot. And MS is showing continued non-compliance and arrogance, but this time that court isn't putting up with their nonsense.
btw I don't even drink coffee, but if I did decide to get you & Parkkker some, I can guarantee you wouldn't like what would be in it.
|
#13 By
7754 (216.160.8.41)
at
7/19/2006 3:53:46 PM
|
#10, in fairness, I think there is a point that underlies what Parker is saying. You say, "It is generally accepted that open source software equivalents are more secure than Microsoft software." That may be "conventional wisdom," but from the cold, hard facts, one cannot make that as an obvious conclusion.
Even if Microsoft products suffer the highest number of actual attempted exploits, it does NOT follow that OSS is more secure, inherently more secure, or any such other oft-touted notion. There is a disconnect in reasoning--actually just plain faulty reasoning--among many of those that promote OSS. And even then, talking in a general sense about OSS projects (or Microsoft products, for that matter) as if they're all on the same level is just nonsensical. There is a huge range in quality and security among OSS projects.
If Firefox has 1,000,000,000 bugs, and IE has 1,000,000,001 bugs, can you really say "Firefox is more secure"? That's just plain nonsense. It only takes one security hole for an unprotected product to be insecure. More bugs may introduce additional avenues of attack, but the fact of the matter is that anything more than 1 hole is insecure and a risk. If you think of security in terms of plugging holes, you've missed the point.
|
#14 By
15406 (216.191.227.68)
at
7/19/2006 3:57:22 PM
|
#3: When I run the same SecurityFocus query for 'Microsoft Office' it comes back with 21 pages versus 3 pages for OpenOffice. Using Parkkker's SillyMetrics(tm), that means MS Office has 7 times more security flaws than OOo!
|
#15 By
15406 (216.191.227.68)
at
7/19/2006 4:08:18 PM
|
#13: It all depends on how the question is framed, and what is being measured and how results are interpreted. With a little effort, I could probably come up with cases for and against both sides.
At the end of the day (great Spock's Beard song btw), no software is secure. However, software can be rated relative to its peers. And you're right; a straight bugcount is a terrible metric. But what's a good one? There hasn't been any consensus about this that I know of. You would need to come up with a formula that weighs number of bugs and their respective (subjective) severity. Is an own-your-box hole worth 2-5 data theft bugs? 1-2 crash OS bugs?
I also do not buy the argument that, because MS software is so popular, it's the main target for baddies and that's why so many things are found. Yes, MS software gets more scrutiny by baddies because of its popularity. But they wouldn't find much if there was nothing to find. I subscribe to the belief that MS software is more of a target because of a combination of it being more popular and historically more easily exploited. Various flavours of BSD have been powering the net for many, many years, but there aren't anywhere near as many problems found with the BSDs. It was designed with security in mind, while MS software is designed with usability in mind. The outcome is predictable.
|
#16 By
2960 (68.101.39.180)
at
7/19/2006 4:10:42 PM
|
Parkkkkker wrote: "And then there will be new bugs (as the Firefox experience shows). "
Of course this never happens with windows or ie.
TL
|
#17 By
32132 (142.32.208.232)
at
7/19/2006 4:39:22 PM
|
#14 Office has had its problems. But then again, Office 2003 predates Microsofts security focus.
Im just saying its just a bad sign that a product supposedly as recent as OpenOffice has so many "abitrary code execution bugs". As Firefox also has. And OS X.
#16 "Of course this never happens with windows or ie."
Thats not my argument. My argument is, especially with Firefox and OS X and OpenOffice, is that no one seems to be learning from Microsofts mistakes except for Microsoft.
|
#18 By
7754 (216.160.8.41)
at
7/19/2006 6:16:26 PM
|
#15: What I'm saying, though, is that it doesn't really matter how many holes there are--if there is just one and you're compromised, then game over. That's why I say the hole-plugging game is the wrong mindset in the first place, and these types of arguments are just dumb. You evaluate and know your holes and risks, then you protect against them. Incidentally, this is a knock against the "homogeneous enviroments are a security risk" argument, and one major reason why I wouldn't roll out Firefox in a company-wide fashion (one browser with holes is enough trouble already... a second browser with its own set of holes? No thank you!).
As for the BSD vs. MS argument, that's comparing apples to oranges on a lot of different levels (and isn't the corollary of your outcome implication that Microsoft software is more usable than BSD? Isn't that also important, particularly for the roles the two have typically served?). PowerPoint, for example, wasn't "powering the net for many, many years," nor, for that matter, was IE. We could look at IIS, but somehow there seems to be a telling silence and deflection when IIS is brought into the discussion. I look at IIS as a prime example of Microsoft's awakening with regard to security--it used to be a poster child for insecurity, but now no one wants to talk about it, usually because it doesn't support their ABM agenda. Should we expect different from Vista? I think a lot of the stereotypical "insecure Microsoft product" arguments will dry up with Vista. Of course, it will take time, just as people still talked about Windows reliability in terms of 9x/ME long after 2000/XP came out (and LONG after NT).
|
#19 By
23275 (68.17.42.38)
at
7/20/2006 11:48:15 PM
|
Very good points, Bluvg...
I read an astoundingly worded headline the other day... then two more very similar to it.
They read..."Is Vista too secure...?" I was blown away - then the authors went on to say how much of a burden all the new UAC and Protected Mode elements were in Vista - right up to being critical of all the COM Opt-In handlers and new firewall and Defender rules alerts that basically only mimic [in very friendly ways], what any good ICSA Group IV firewall already has been doing, or that which any noob admin could implement with a little reading and a few mouse clicks.
For all the "holes" in Windows servers and client that were alleged - I submit that there was always a system in place, and a dern good one, to allow even modestly skilled people to secure all of it consistently and effectively. Vista and Longhorn server and totally noob/stupid proof tools across the server family line designed to "make it so easy" really do work.
But.... they also take some of the satisfaction one may have had opposite all the work it tooks to learn how to do it without all the new sercurity features. I mean, kicking forced encryption over TCP and securely publishing a secure Exchange that have users the ability to connect Outlook up long before RPC over HTTPS was really cool and took a great deal of admin skill. Intimate knowledge of ISA Server 2000 and Exchange 2000 were needed and one felt a real sense of doing something that was rarer and valuable.
Vista and Longhorn Server will change a lot of that..... Oh well... at least we have a whole new set of web services tools we can show our stuff with - just can't help but think the world has obviated all that work and study.
One word of sincere warning/hope - when Vista is out there making the lives of criminals a nightmare.... - we will see just how sloppy OSX and many OSS apps/environments are - I sense the criminals will turn on those they have spared and we're going to see a lot of truth I have written about well and truly exposed. The hope side is I hope I was wrong.... but I know I am not and OSS/OSX are going to get hammered bad.
|
|
|
|
|