OpenOffice security is questioned

A report on the security of OpenOffice has caused a stir in the open-source community by highlighting six security "issues" around the open-source office suite.

OpenOffice has said only one actual bug was discovered, and that flaw has been fixed already. But the research, by the French Ministry of Defense, also points out that many security flaws have already been discovered in Microsoft Office applications, claiming that these are "easily transportable to OpenOffice."

According to the report, titled "In-depth analysis of the viral threats with OpenOffice.org documents," this means that the "general security of OpenOffice is insufficient," Infoworld reported.

The report goes on to counter claims from the open-source community that OpenOffice is inherently more secure than Microsoft's Office products. "The viral hazard attached to OpenOffice.org is at least as high as that for the Microsoft Office suite, and even higher when considering some... aspects," the researchers wrote.

"This suite is up to now still vulnerable to many potential malware attacks," they added.

The paper was first submitted for publication in April and revised in June. It was accepted in July, when some of the details of the report began to leak out, and then published Aug. 1 in the Paris-based Journal of Computer Virology.

The paper describes four examples of how malicious code can attack OpenOffice and release hazards. The weaknesses are focused around issues such as the use of Zip files, and in particular the use of macro programming procedures and templates.

Last Tuesday, Microsoft announced it had fixed a number of bugs including one in PowerPoint.

Colin Barker of ZDNet UK reported from London.

[rcrusoe]

The French are overlooking a major OOo security feature

MS Office only runs on Windows, but OpenOffice.org can also be
run on secure operating systems.

[Philips]

OO.o security?

That must be joke.

I routinely crash all major/minor releases of OO.o I have used last five years. Learn keyboard shortcuts and start using them - very fast. Believe me OO.o would crash sooner than you would run of those few shortcuts you know. I stopped using keyboard in OO.o for the very reason. Though if you would try to do something very fast with mouse in OO.o - it could easily crash too. Happens to me all the time.

Though same applies to releases of M$O. Though second/third patch level (SR1/2/3/etc) normally works stable enough. In my experience, M$O (unlike OO.o) hangs more often than crashes.

As all security researchers have said most conditions leading to crash of application can be used for exploit.