Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > NZ Computing > Open Source package's security "insufficient" and "vulnerable to many potential malware attacks"

Reply
Thread Tools

Open Source package's security "insufficient" and "vulnerable to many potential malware attacks"

 
 
Fred Dagg
Guest
Posts: n/a
 
      08-14-2006

For all the "OSS is secure!" crowd, you've been proven wrong yet
again. This time in relation to OpenOffice.org, the bloated, buggy,
and now insecure OSS poster-boy of an office suite:


"With Microsoft's Office suite now being targeted by hackers,
researchers at the French Ministry of Defense say users of the
OpenOffice.org software may be at even greater risk from computer
viruses.

"The general security of OpenOffice is insufficient," the researchers
write in a paper entitled "In-depth analysis of the viral threats with
OpenOffice.org documents".

"This suite is up to now still vulnerable to many potential malware
attacks," they write.

The paper describes four proof-of-concept viruses that illustrate how
maliciously encoded macros and templates could be created to
compromise systems running the open-source software. "The viral hazard
attached to OpenOffice.org is at least as high as that for the
Microsoft Office suite, and even higher when considering some...
aspects," they write."

....

These latest bugs show that the open-source project has some security
work ahead of it, says Russ Cooper, a senior information security
analyst at Cybertrust. "If these types of vulnerabilities had been
discovered in Microsoft Office, it would be front-page news," he says.
"Whoever did the security for OpenOffice has totally ignored what
Microsoft has gone through with the security of their own Office
documents."

Full text:
http://computerworld.co.nz/news.nsf/...2571CA001BE8F6
 
Reply With Quote
 
 
 
 
AD.
Guest
Posts: n/a
 
      08-14-2006
Fred Dagg wrote:
> For all the "OSS is secure!" crowd, you've been proven wrong yet
> again. This time in relation to OpenOffice.org, the bloated, buggy,
> and now insecure OSS poster-boy of an office suite:


Open Office is hardly a typical open source project.

It spent many many years as a crappy closed cource product that nobody
used, then got bought and opened up by Sun who still seem to be the
only people that actually do any work on it because the code is too
complex and convoluted to bother with unless you are paid to. Also
being that nearly all open source developers have no use for an office
suite, there are few developers that have an itch to scratch with it.

Nobody (OK maybe one specific person hehe) would claim that the act of
opening up the code would magically transform the existing crappy
codebase.

Yet you make out it is some sort of 'open source poster boy'. The only
people who hold it up as some sort of poster boy are clueless
journalists that can't really think of software beyond office suites.

Open Office being insecure or not really has nothing to do whether or
not Open Source in general is or isn't secure.

--
Cheers
Anton

 
Reply With Quote
 
 
 
 
Earl Grey
Guest
Posts: n/a
 
      08-14-2006
AD. wrote:

>
> Open Office is hardly a typical open source project.
>
> It spent many many years as a crappy closed cource product that nobody
> used, then got bought and opened up by Sun who still seem to be the
> only people that actually do any work on it because the code is too
> complex and convoluted to bother with unless you are paid to. Also
> being that nearly all open source developers have no use for an office
> suite, there are few developers that have an itch to scratch with it.
>
> Nobody (OK maybe one specific person hehe) would claim that the act of
> opening up the code would magically transform the existing crappy
> codebase.
>
> Yet you make out it is some sort of 'open source poster boy'. The only
> people who hold it up as some sort of poster boy are clueless
> journalists that can't really think of software beyond office suites.
>
> Open Office being insecure or not really has nothing to do whether or
> not Open Source in general is or isn't secure.
>


Its like saying that Microsoft Office could be susceptible to Macro viruses.
Comes with the territory for anything scriptable.

 
Reply With Quote
 
Fred Dagg
Guest
Posts: n/a
 
      08-14-2006
On 14 Aug 2006 16:22:45 -0700, "AD." <(E-Mail Removed)> exclaimed:

>Fred Dagg wrote:
>> For all the "OSS is secure!" crowd, you've been proven wrong yet
>> again. This time in relation to OpenOffice.org, the bloated, buggy,
>> and now insecure OSS poster-boy of an office suite:

>
>Open Office is hardly a typical open source project.
>
>It spent many many years as a crappy closed cource product that nobody
>used, then got bought and opened up by Sun who still seem to be the
>only people that actually do any work on it because the code is too
>complex and convoluted to bother with unless you are paid to. Also
>being that nearly all open source developers have no use for an office
>suite, there are few developers that have an itch to scratch with it.


Interesting - I thought OSS people would be trying to distance
themselves from it.

It is ALWAYS mentioned when people are going on about replacing
Windows on the desktop.
 
Reply With Quote
 
AD.
Guest
Posts: n/a
 
      08-15-2006
Fred Dagg wrote:
> Interesting - I thought OSS people would be trying to distance
> themselves from it.


Well I've never liked it, and have for quite a while now thought the
whole idea of an office suite is a bit misguided. The whole 'document'
based way of working is tired and far too paper oriented. The whole
historical metaphors of computerised office desks, with page based
documents and file servers pretending to be filing cabinets and folders
etc and users spending more time paying with print formatting than
actually working with information etc needs to go I reckon.

Sure a word processor is good for typing up a letter, but when all you
have is a word processor everything looks like a letter.

Because of the huge cash cow Office is to MS, they seem to be
continuing with this flawed document metaphor and trying to extend it
(eg Sharepoint etc) into an online shared world. I reckon they should
step back a bit and think more about information rather than documents.

> It is ALWAYS mentioned when people are going on about replacing
> Windows on the desktop.


Ahhh, people that want to screw consessions out of MS next time their
licensing agreements come up, journalists wanting a story, or
evangelistic idiots wanting to convert the masses without actually
contributing anything useful to OSS themselves.

I wouldn't really class any of them as OSS people - those people have
already shifted to OSS and are quite comfortable with their decision.

--
Cheers
Anton

 
Reply With Quote
 
Fred Dagg
Guest
Posts: n/a
 
      08-15-2006
On 14 Aug 2006 17:14:04 -0700, "AD." <(E-Mail Removed)> exclaimed:

>Fred Dagg wrote:
>> Interesting - I thought OSS people would be trying to distance
>> themselves from it.

>
>Well I've never liked it, and have for quite a while now thought the
>whole idea of an office suite is a bit misguided. The whole 'document'
>based way of working is tired and far too paper oriented. The whole
>historical metaphors of computerised office desks, with page based
>documents and file servers pretending to be filing cabinets and folders
>etc and users spending more time paying with print formatting than
>actually working with information etc needs to go I reckon.


Interesting theory.

So what would you propose instead?
 
Reply With Quote
 
Philip
Guest
Posts: n/a
 
      08-15-2006
Fred Dagg wrote:
> On 14 Aug 2006 16:22:45 -0700, "AD." <(E-Mail Removed)> exclaimed:
>
>> Fred Dagg wrote:
>>> For all the "OSS is secure!" crowd, you've been proven wrong yet
>>> again. This time in relation to OpenOffice.org, the bloated, buggy,
>>> and now insecure OSS poster-boy of an office suite:

>> Open Office is hardly a typical open source project.
>>
>> It spent many many years as a crappy closed cource product that nobody
>> used, then got bought and opened up by Sun who still seem to be the
>> only people that actually do any work on it because the code is too
>> complex and convoluted to bother with unless you are paid to. Also
>> being that nearly all open source developers have no use for an office
>> suite, there are few developers that have an itch to scratch with it.

>
> Interesting - I thought OSS people would be trying to distance
> themselves from it.
>
> It is ALWAYS mentioned when people are going on about replacing
> Windows on the desktop.

Even though there is as good functionality and compatibility for most
users from Abiword or 602.

OOo needs to go through the sort of epipühany that turned big fat
bloatfilled Mozilla browser into Firefox.

Meaning: start over from scratch.

Philip

 
Reply With Quote
 
Philip
Guest
Posts: n/a
 
      08-15-2006
Fred Dagg wrote:
> On 14 Aug 2006 17:14:04 -0700, "AD." <(E-Mail Removed)> exclaimed:
>
>> Fred Dagg wrote:
>>> Interesting - I thought OSS people would be trying to distance
>>> themselves from it.

>> Well I've never liked it, and have for quite a while now thought the
>> whole idea of an office suite is a bit misguided. The whole 'document'
>> based way of working is tired and far too paper oriented. The whole
>> historical metaphors of computerised office desks, with page based
>> documents and file servers pretending to be filing cabinets and folders
>> etc and users spending more time paying with print formatting than
>> actually working with information etc needs to go I reckon.

>
> Interesting theory.
>
> So what would you propose instead?


What sort of work are you wanting to use it for?

Philip
 
Reply With Quote
 
AD.
Guest
Posts: n/a
 
      08-15-2006
Fred Dagg wrote:
> Interesting theory.
>
> So what would you propose instead?


I'm not going to claim the average 'office worker' can be weaned off
their word processors just yet, and what works in company A won't
necessarily work in company B etc - but we've been making a conscious
effort to move away from the document / file share way of storing
content.

We are a software development company though - so it is a different
playing field than other organisations. But we used to be heavily
document based for all our systems and product documentation, planning
decisions etc etc. Finding and figuring out where to store information
was painful (and one dimensional). But gradually even the non technical
staff have come around to seeing there are alternatives. Sure you can
add extra layers of software on top of your documents (eg document
management systems etc) to try and hide the problems, or you can take a
different approach.

We've moved towards open formats and markup languages. eg DITA is an
XML format geared towards technical information, content reuse, and
singlesource publishing. Using open formats means that people can use
whatever applications or platforms they want - eg managers on Windows,
designers on Macs, and developers on *nix. The content isn't tied to
the applications that create it. Text based formats can be easily
version controlled (TortoiseSVN is a friendly interface for non
developers). Open formats can be easily tranformed into other formats
etc.

All our general internal docs and planning collaboration happens in a
wiki, which helps with easy editing, searching, cross linking etc etc.
Remote working becomes easier, and for a small business much easier to
outsource the infrastructure if you want (we don't though). We've
already migrated to a different wiki once (the choices weren't as wide
when we first started), and it wasn't as painful as feared.

The only things we still do on word processors are proposals, formal
letters to clients or lawyers/accountants etc. And these all go out via
PDF anyway, so the actual file format they were written is unrelated to
the output.

We're still only part way through the whole process, but it is already
a much better way of working. It's no silver bullet, and it takes some
effort to switch. Some people take longer than others to 'get it' too.
But in the end it is liberating.

People get far too caught up in how applications 'integrate' and wind
up with complex setups that can never be changed because there will
never be an alternative that does that whole vertical stack of stuff.
Instead of looking for ways to 'integrate' applications, it is far
better to concentrate on decoupling them instead and focussing on open
formats for interoperability.

--
Cheers
Anton

 
Reply With Quote
 
Earl Grey
Guest
Posts: n/a
 
      08-15-2006
Fred Dagg wrote:
> On 14 Aug 2006 16:22:45 -0700, "AD." <(E-Mail Removed)> exclaimed:
>
>> Fred Dagg wrote:
>>> For all the "OSS is secure!" crowd, you've been proven wrong yet
>>> again. This time in relation to OpenOffice.org, the bloated, buggy,
>>> and now insecure OSS poster-boy of an office suite:

>> Open Office is hardly a typical open source project.
>>
>> It spent many many years as a crappy closed cource product that nobody
>> used, then got bought and opened up by Sun who still seem to be the
>> only people that actually do any work on it because the code is too
>> complex and convoluted to bother with unless you are paid to. Also
>> being that nearly all open source developers have no use for an office
>> suite, there are few developers that have an itch to scratch with it.

>
> Interesting - I thought OSS people would be trying to distance
> themselves from it.
>
> It is ALWAYS mentioned when people are going on about replacing
> Windows on the desktop.


Its more a Microsoft Office replacement than a Windows replacement.
Its very popular on Windows. Its commitment to being a cross platform
solution may impact on its performance compared to MSOffice.
There are a range of other word processors and spreadsheets and
organizers and presetation packages available for linux users, but
theres no big push to bundle them except for KOffice.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Open Source vs Closed Source Security Lawrence D'Oliveiro NZ Computing 1 03-04-2010 05:16 AM
Which are the most reliable websites about JS security and potential risks? John Javascript 0 02-06-2007 12:44 AM
Open Source Conference in Japan: Open Source Realize Forum 2005 pat eyler Ruby 1 03-05-2005 03:50 AM
Asp.Net.Vulnerability: Asp.Net buffer overflows (potential security problems) Dinis Cruz ASP .Net Security 1 10-17-2003 07:48 AM
Asp.Net.Vulnerability: Win32 API calls (potential security problems) Dinis Cruz ASP .Net Security 1 10-17-2003 07:48 AM



Advertisments