Own mistakes

Posted Aug 10, 2017 10:00 UTC (Thu) by moltonel (guest, #45207)
In reply to: Own mistakes by smurf
Parent article: Waiting for AOO

Looks like security through obscurity to me : "Let's not mention that the overdue patch release contains a security fix, so that the black hats don't find out about it." It's a good thing that black hats rely on meeting minutes rather than git logs or automated tools to find exploitable bugs... Sigh.

I'm surprised we don't hear of more actively exploited AOO bugs, given that it has remained mostly static for years and must be a tempting target.

Own mistakes

Posted Aug 10, 2017 10:12 UTC (Thu) by smurf (subscriber, #17840) [Link] (1 responses)

> tempting target

Not really, as most people use LO these days – thus developing an exploit that doesn't affect the vast majority of users (I hope) isn't interesting.

Own mistakes

Posted Aug 10, 2017 11:59 UTC (Thu) by moltonel (guest, #45207) [Link]

> Not really, as most people use LO these days

The Apache foundation at least belives that there is still a significant share of AOO users. We could argue about actual numbers, but it still looks sizable. And most importantly, I expect current AOO users to generally have poor security awareness and therefore be prime targets for malware-type attacks. Fewer but more attackable targets still qualifies as "tempting".