Sun Developer on the Security of OpenOffice
In a recent blog, Sun developer Malte Timmermann took a position on the security concerns of the Ecole Superieure d'Informatique, Electronique, Automatique (ESIEA) in Paris-Laval, France. The subject was the vulnerability of OpenOffice, involving document macros, for example.
In the context of the Black Hat Europe 2009 Briefings conference in Amsterdam mid-April, Eric Filiol and Jean-Paul Fizaine of the cryptology lab at the French engineering academy, ESIEA, presented a paper of around 70 pages describing security holes in OpenOffice 3.x. The concern was the newest OpenOffice release of October 2008 and the steady increase in malware for office applications. Their reasoning was that the growing availability of free software invited a larger role for macro viruses. The threat scenario for their research came from a Python virus.
Sun Microsystems contributor and OpenOffice developer Malte Timmermann has now systematically challenged the results of the two academic colleagues in a long blog entry spread out over six chapters, much as the original research paper. Chapter 2, for example, covers the security features of the ODF document format. The two Frenchmen mention in their paper that ODF uses zip containers. Timmermann's response: "There are many hints on how to prove that ODF files are using zip containers - nobody ever said it would be different." The implication of possible wrongdoing especially bothered him: "In the context of this paper it sounds like this would become a tool for doing evil things - manipulating ODF documents. Actually, the whole purpose of an open standard is that different kinds of tools can make use of it."
Timmermann also addressed the issue of the danger of macros. "Sure," he wrote, "the intention of macros is that macro authors can do powerful things. Good things as well as evil things. And it doesn't matter which tool I use to create them." He concurs that care is needed: "People never should run macros if they are not sure that they can trust them."
The OpenOffice developer hardly agreed with many more of the ESIEA colleague's findings. Instead he rebutted many of their arguments and referred to the benefits of the ODF format as well as improvements already made to OpenOffice. Some of the faults found in the ESEIA paper Timmermann had already addressed a few years earlier in a blog of August 2006, such as the possible manipulation of menu entries and malware in signatures.
All in all, the Sun contributor felt that OpenOffice's security mechanisms were better than the ESIEA paper claimed. He wrote: "...with OOo 3.2 there should be some more improvements..." He continues: "The idea in the paper about a special OOo version ('Trusted OOo') is interesting, but would mean to create an isle. That special version would warn every time you load a document which was created/modified with vanilla OOo or any other ODF application." The suggestion that certain parts of the OpenOffice code should be closed for security reasons elicited the response, "Beside the fact that it's not an option, would proprietary software make attacks only more difficult [security by obscurity], but not impossible."
Issue 259/2022
Buy this issue as a PDF
News
-
Titan Linux is a New KDE Linux Based on Debian Stable
Titan Linux is a new Debian-based Linux distribution that features the KDE Plasma desktop with a focus on usability and performance.
-
Danielle Foré Has an Update for elementary OS 7
Now that Ubuntu 22.04 has been released, the team behind elementary OS is preparing for the upcoming 7.0 release.
-
Linux New Media Launches Open Source JobHub
New job website focuses on connecting technical and non-technical professionals with organizations in open source.
-
Ubuntu Cinnamon 22.04 Now Available
Ubuntu Cinnamon 22.04 has been released with all the additions from upstream as well as other features and improvements.
-
Pop!_OS 22.04 Has Officially Been Released
From the makers of some of the finest Linux-powered desktop and laptop computers on the market comes the latest version of their Ubuntu-based distribution, Pop!_OS 22.04.
-
Star Labs Unveils a New Small Format Linux PC
The Byte Mk I is an AMD-powered mini Linux PC with Coreboot support and plenty of power.
-
MX Linux Verison 21.1 “Wildflower” Now Available
The latest release of the systemd-less MX Linux is now ready for public consumption.
-
Microsoft Expands Their Windows Subsystem for Linux Offerings With AlmaLinux
Anyone who works with Windows Subsystem for Linux (WSL) will now find a new addition to the available distributions, one that’s become the front-runner replacement for CentOS.
-
Debian 11.3 Released wIth Numerous Bug and Security Fixes
The latest point release for Debian Bullseye is now available with some very important updates.
-
The First Alpha of Asahi Linux is Available
Asahi Linux is the first distribution to fully support Apple Silicon and is now available for testing.