Home Messages Index
[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index

OpenOffice.org refuses to patch macro exploit (WAS: [News] Another Reason to Embrace Linux)

"Roy Schestowitz" <newsgroups@xxxxxxxxxxxxxxx> wrote in message 
news:2367664.Xj8UV4tYgJ@xxxxxxxxxxxxxxxxxx
> The future of malware: Trojan horses
>
> ,----[ Quote ]
> | The stealthy attacks install keystroke-logging or screen-scraping
> | software, and they are used for industrial espionage and other
> | financially motivated crimes, experts said.
> |
> | [...]
> |
> | Most attacks include Office files that use yet-to-be-patched
> | vulnerabilities in the Microsoft application to install malicious code
> | on vulnerable systems. The software giant has patched many such flaws
> | on recent Patch Tuesdays.
> `----
>
> http://news.zdnet.com/2100-1009_22-6125453.html
>
> Such attacks are alleviated in Linux as patches flow in regularly (without
> requiring prompts, reboots, or several weeks of unnerving periods of
> waiting), users are not encouraged/forced to inherit full system 
> privileges,
> and Open Office is more secure.
>
> OpenOffice.org Spurns Security Worries
>
> ,----[ Quote ]
> | OpenOffice.org has rejected accusations that its open-source
> | application suite is at least as susceptible to attack as Microsoft's
> | Office in a terse statement posted on its Web site.
> |
> | "The OpenOffice.org community confirms it regards security as of the
> | highest importance and will react immediately to any security issues,"
> | the statement read.
> `----
>
> http://news.yahoo.com/s/cmp/20061003/tc_cmp/193101143

>From your article http://news.yahoo.com/s/cmp/20061003/tc_cmp/193101143:
<quote>
French researchers were particularly concerned with macro security in 
OpenOffice.org, and pegged the problems as ones "at the conceptual level" of 
the suite.

In early June, OpenOffice.org disputed the use of the term "virus" to 
describe a macro exploit against the suite, and said it would not patch the 
problem. As far back as 2003, security researchers have warned that exploits 
using the suite's macro language were possible, and called the applications' 
default macro security settings as "resembling older versions of Microsoft 
Office."
</quote>

    So if it's true that most trojans infect via the office suite, AND that 
Window's larger install base has nothing to do with the prevalence of 
security issues, AND that OpenOffice is less secure than Office, then this 
is a reason NOT to embrace Linux -- or at least, not to embrace OpenOffice. 
Not only are there macro exploits available in OpenOffice, but apparently 
the OpenOffice community are refusing to patch it!

    That said, I've never heard of an OpenOffice exploit. So I conclude that 
Window's larger install base IS a factor in the number of exploits seen in 
the wild. There is more security in a heterogenous system (where the system 
in this case is the Internet, and the heterogeneity comes from having 
different OSes), though hereogeneity itself introduces some problems (such 
as introducing crossplatform interoperability issues).

    - Oliver 



[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index