OpenOffice and CVE-2015-1774

By Jonathan Corbet
July 8, 2015

The Apache Software Foundation requires projects hosted under its umbrella to file quarterly reports to the foundation's board of directors; these reports are meant to enable the board to "evaluate the activity and health of the project". In the case of Apache OpenOffice, the process of writing the quarterly reports tends to be a bit fraught, since it rubs the project's nose in the fact that its health is not all that strong. This time around there is an additional factor in the discussion: the fact that OpenOffice has yet to patch a vulnerability announced back in April.

Jan Iversen announced the drafting of the July report at the end of June. The draft did not mince words with regard to the status of the project in general:

The lack of progress on all fronts in the project is a major concern, and the PMC [project management committee] have been trying for some time to find consensus about the road ahead.

Simon Phipps was quick to suggest that the report was missing one key fact: the vulnerability known as CVE-2015-1774 remains unfixed in the released version (4.1.1) of OpenOffice. This vulnerability, disclosed at the end of April, affects the import filter for Hangul Word Processor (HWP) documents; a lack of input sanitizing there means that an attacker can, by way of a specially crafted HWP document, crash the program and, almost certainly, contrive to execute arbitrary code.

LibreOffice fixed this vulnerability in the 4.3.7 release on April 25. OpenOffice, instead, has limited itself to publishing a workaround that consists of telling users to delete the shared object implementing HWP support. The vulnerability will be fixed, it is promised, in the 4.1.2 release, but, as the draft report notes, "no real work has been done since last report" on getting that release out. So OpenOffice remains vulnerable and will continue to be until, somehow, the project is able to get some "real work" done on producing another release.

The rules for quarterly reports say nothing about highlighting open security issues; indeed, they make no mention of security at all. Simon clearly believes that the lack of action on this issue is relevant to the health of the project as a whole, and, thus, relevant to the report. Dennis Hamilton disagreed, though, saying that "very few users" would be affected by an exploit, and that the publication of a "straightforward mitigation" is sufficient. The failure to fix this vulnerability, he said, should not overshadow the more serious problem of the stalled 4.1.2 release.

For the purposes of the board report, Dennis may well be right; telling the board about this vulnerability will, in the end, protect few users from it. But he may be understating the severity of the vulnerability itself. It does not, as he suggests, just affect a small community of Korean users working with files created by an ancient word processor; instead, it affects anybody who can be convinced to open a file in the HWP format. Such files need not, incidentally, have a .hwp extension. There is no shortage of evidence showing that users will open dodgy email attachments from suspicious sources; there is no reason to believe that their behavior would be different in this case. Rather than affecting a small group, this vulnerability affects all OpenOffice users; given that the project loudly claims to have been downloaded over 100 million times, that is a lot of users.

He is also certainly overstating the "straightforward" nature of a mitigation that (1) must be actively sought out by users and (2) requires performing manual surgery on an OpenOffice installation. Few users, even those who download the program today, will notice that there is a vulnerability requiring action on their part to mitigate. A new release would inspire at least some users to update, but workaround instructions hidden away on their own page will bring about few secured systems — even if the instructions were readily discoverable, which these are not.

The moral of this story is that, whenever any of us uses a piece of software, we are depending on the organization behind it — whether it's a corporation or a free-software development community — to protect us from known vulnerabilities. Projects that are short of developers may not be able to live up to that expectation. At any given time, a typical Linux system probably contains a number of applications that lack security updates because their development community has faded away.

Unfortunately, projects that fall below a critical mass of developers rarely send out an advisory to that effect. OpenOffice is actually nearly unique in this regard as a result of the quarterly report requirement; it has informed the world that it is struggling, even though it did ultimately choose to omit information on this specific vulnerability from its quarterly report. In many other cases, projects simply go dark. Linux users are lucky in that distributors can (and often do) serve as a second line of defense for unmaintained projects; users of other operating systems tend to be on their own. In this case, distributors noticed which way the wind was blowing some time back; few of them ship OpenOffice at all. (Debian's recent decision to move away from libav can be seen as another example of this process in operation). Linux users, thus, will be relatively safe, but it appears that there are many millions of vulnerable users out there with no fix in sight.

Index entries for this article
Security	Bug reporting
Security	OpenOffice.org/LibreOffice

OpenOffice and CVE-2015-1774 (not so serious remarks)

Posted Jul 9, 2015 10:33 UTC (Thu) by ortalo (guest, #4654) [Link] (4 responses)

Why bring this case forward?

I think I understand your attention, but billions of people are certainly using much more vulnerable software (not to speak of vulnerable networks), without even knowing these vulnerabilities or even while being abused into believing the opposite and even paying for this illusion.
So OpenOffice users security may not be so bad after all (especially if they are using it over a solid mail client on a reliable OS kernel :-).

When you think about it, we could even recommend the software to the NSA. It seems to be better than the thing they used for some of the documents leaked by you-know-who.

Admittedly, it would be nice if we had more proactive security guarantees than just some volunteer developpers promise that they will fix problems as soon as they appear (and time or management permits). But that statement would make this comment a serious one (albeit not much more realistic).

OpenOffice and CVE-2015-1774 (not so serious remarks)

Posted Jul 9, 2015 14:28 UTC (Thu) by dgm (subscriber, #49227) [Link]

Wow. Just wow.

OpenOffice and CVE-2015-1774 (not so serious remarks)

Posted Jul 9, 2015 20:22 UTC (Thu) by bronson (subscriber, #4806) [Link] (1 responses)

Your post boils down to, "security is hard, let's go ride bikes!" What do you hope to achieve by posting it?

OpenOffice and CVE-2015-1774 (not so serious remarks)

Posted Jul 12, 2015 20:45 UTC (Sun) by ortalo (guest, #4654) [Link]

Nope. I meant more something like: "security is hard, let's strike first those who deserve it most" (certainly not OSS). And also "security updates everywhere is not a panacea and they were popularized by Redmond".
And it was not a serious comment in the first place, so I may have been unclear. Note that i appreciate too that lwn.net always tries to fuel improvements to OSS security, even if it means sometime being severe.

OpenOffice.org -> LibreOffice.

Posted Jul 9, 2015 20:59 UTC (Thu) by david.a.wheeler (subscriber, #72896) [Link]

For OpenOffice.org USERS, the solution is easy and straightforward: switch to LibreOffice, which is OSS and better-maintained today.

For OpenOffice.org DEVELOPERS, the solution is easy (in at least one sense): Go fix it, quickly. At the least, create a release that disables the plug-in until it's secure again. If they do that quickly, the users will have less of a reason to switch.

I agree with the main article. It's unreasonable for users to look for obscure instructions for workarounds, and people open documents all the time (that's the point of these programs).

OpenOffice and CVE-2015-1774

Posted Jul 9, 2015 22:48 UTC (Thu) by bronson (subscriber, #4806) [Link] (9 responses)

I'm disappointed there's no mention of Rob Weir. He has the most interesting way of looking at things.

OpenOffice and CVE-2015-1774

Posted Jul 11, 2015 10:33 UTC (Sat) by DOT (subscriber, #58786) [Link] (8 responses)

Can we stop with the Rob Weir bashing already?

OpenOffice and CVE-2015-1774

Posted Jul 16, 2015 8:25 UTC (Thu) by kragil (guest, #34373) [Link] (7 responses)

Well, he was saying that AOO is in such a great shape and will rule FOSS office suites in no time AND that LibreOffice has no chance of keeping up with the Apache/IBM train (slight hyperbole).

Where is he now? Kind of cowardly behaviour if you ask me.

OpenOffice and CVE-2015-1774

Posted Jul 16, 2015 17:04 UTC (Thu) by raven667 (subscriber, #5198) [Link] (6 responses)

> Where is he now? Kind of cowardly behaviour if you ask me.

He's probably enjoying life and not sinking to your pointless trolling, like an adult.

OpenOffice and CVE-2015-1774

Posted Jul 16, 2015 19:49 UTC (Thu) by bronson (subscriber, #4806) [Link] (5 responses)

Speaking for myself, I don't intend to troll. I honestly want to know what he's thinking now. Or can anybody else speak for Apache OpenOffice?

With the possible exception of kragil's last sentence, I'm not sure he's trolling either... That's all true, isn't it? Maybe it's worded too snarky but, given the history, seems like everyone deserves some benefit of doubt?

OpenOffice and CVE-2015-1774

Posted Jul 16, 2015 22:41 UTC (Thu) by Wol (subscriber, #4433) [Link]

I think he was paid to promote AOO. Hopefully his paymasters realised that was not a value-for-money investment.

Shame, Rob has a history in the Open Source movement, and (with the exception of AOO) it's good one.

Cheers,
Wol

OpenOffice and CVE-2015-1774

Posted Nov 2, 2015 1:55 UTC (Mon) by richardbrucebaxter (guest, #72540) [Link] (3 responses)

People who speak for AOO get personally attacked on third party websites. Open source software is built on morality and respect for the authors of software.

OpenOffice and CVE-2015-1774

Posted Nov 3, 2015 17:50 UTC (Tue) by jubal (subscriber, #67202) [Link]

[𝚌𝚒𝚝𝚊𝚝𝚒𝚘𝚗 𝚗𝚎𝚎𝚍𝚎𝚍]

OpenOffice and CVE-2015-1774

Posted Nov 3, 2015 18:27 UTC (Tue) by bronson (subscriber, #4806) [Link] (1 responses)

People who speak for ffmpeg, netbsd, libav, gnome, qt, emacs, systemd, etc etc etc all get personally attacked on 3rd party websites. It sucks. It's not like AOO is unique in this respect.

> Open source software is built on morality and respect for the authors of software.

If only.

OpenOffice and CVE-2015-1774

Posted Nov 4, 2015 17:55 UTC (Wed) by flussence (guest, #85566) [Link]

I have sympathy for some of those other groups when they get flamed here, but in AOO's case it's invariably *their spokesperson* proactively coming here to post personal attacks.

I'm glad he's gone, wherever he went.