Over the past month, there have been various news
regarding OpenOffice.org (OO.o) security, particularly in comparison
with its main closed source rival, MS Office. Some articles
have depicted OO.o as vastly less secure based on research by an
organization within the French
Ministry of Defense. The situation is a lot more muddled than that and
unfortunately, because details are hard to come by, it is difficult to
fully evaluate the threat.
(in French) described a meeting where a report on OO.o security was shared
with various French ministries. The report supposedly claimed that for
some threat types, OO.o was more vulnerable than MS Office. Another article,
with the provocative title
less secure than Microsoft Office?,
shortly thereafter and fanned the flames, positing that the city of Paris and
other OO.o users in France might reconsider their tool choices based on the report.
A 'response' to the articles
on the OO.o website but did little to shed any light. It was claimed that
it would be inappropriate to respond to a "leak from a private meeting"
followed by some platitudes about security response by the OO.o team.
Perhaps unsurprisingly, there was no confirmation or denial of the
Shortly thereafter, Sun's Technical Architect for OO.o, Malte Timmermann,
posted some information in his blog. He and the OO.o team
in Hamburg spoke with Eric Filiol, one of the authors of the report, to
discuss the findings. According to Timmermann, there were three issues, only
one of which was truly a bug and even it was "not really a security issue."
All of the issues seem to revolve around macros and how they are trusted
both by users and by the software itself.
Timmermann followed that up with another blog
this week that gave a few more details. He claims that the original report
(which is to be published in the Journal in Computer Virology) was
"conceptual problems only, not about security exploits."
The problems described
all stem from an initial infection which happens via a user running untrusted
code (either as a regular executable or as a macro in an untrusted document).
Timmermann rightly points out that if a user runs code from untrusted sources,
changing security settings for OO.o may well be the least of their worries.
Untrusted code can do anything that the user running it has permission to do
and that has nothing to do with what OS or office suite you happen to be
running. It may be that users still need additional training so that they
do not run macros from untrusted documents, but OO.o does provide a security
warning before executing them. He also points out that both
MS Office and OO.o provide a powerful scripting language that has access to
the underlying system and that threats from running untrusted macros are
likely to be similar for both office suites.
So, depending on who you listen to, there are either some serious (but
largely unspecified, at least as of yet) security issues with OO.o, or
there are not. OO.o is more at risk for these (again unspecified) risks
than MS Office or it is not. There is at least one bug that Timmermann
mentions, but it has not yet been fixed (based on the most recent security
fix for OO.o which was 29 June, well before this information came to light).
It is not clear why there is so much murkiness surrounding these issues. Is
it due to 'responsible' disclosure policies? Or are folks unwilling to
disclose the most interesting pieces of the journal article before it is
Around the time these issues were being discussed, there were a number of
'zero-day' exploits in the wild against various MS Office formats. It seems
likely that some of the technical press wanted to present 'balanced'
coverage and seized on this issue to offset the negative press about MS Office.
From the limited details we have seen so far, this particular report about the
security of OO.o would not seem to merit the coverage that it has gotten.
to post comments)