Date: prev next · Thread: first prev next last
2015 Archives by date, by thread · List index


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 24/01/15 14:04, Thisis theone wrote:

We think macros and other rarely used, but high risk features should be DISABLED BY DEFAULT in 
LibreOffice.

Since I don't do windows ^1, I can't confirm the statement in the
original article that MSO ships with Macros disabled by default.

If that is the case, then changing the defaults in LibO/AOo/EO/NO/etc
won't make a difference, because the user will enable the macro to run,
if only for the specific document.

Tom Davis wrote:

So we tend to find the LO and AOO simply don't have as many
vulnerabilities and problems.

Because LibO, AOo, & EO run on various platforms, I suspect that, as a
malware vector, they are less vulnerable than MSO on Windows.

By way of example, I can't use JabBib on my laptop, because the version
in the official distro repository is incompatible with the specific
setup of my laptop. There are two or three other programs I'd like to
install, but have similar issues. If I had the drive space, I could
install the tool chain required to compile the programs from source code.

The apparent increase is insecurity that support for the number of macro
languages that LibO & AOo brings, is nullified by the macro writer not
knowing what components of that language are available on the target
machine.

It's difficult for anyone to find any flaws that can be exploited by
writing some nasty macro.

At least one "proof of concept" "nasty" macro was publicly released for
OOo. I've seen a couple of posts, and articles, that imply that there
are some OOo/LibO/AOo ^2 specific macros in the wild, but nothing that
can be confirmed.

###

^1: The last time I used MSO on Windows, it took 90 seconds from
starting MSO to seeing the Blue Screen of Death. That was with the then
current version of MSO on Windows 7.

^2 I don't recall any mention of EuroOffice, NeoOffice, or Android
OpenOffice in those articles:
* NeoOffice, running exclusively on Mac OS X, can easily accommodate
malware that relies on the standard Mac OS X configuration;
* Android OpenOffice can easily accommodate malware that targets the
Android Operating System;


jonathon
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUxDFCAAoJEKG7hs8nSMR7+T4QAJB9yBIOl+SWUXey7dwRuIoZ
CBdMJXqyB6Uyo1drRTp4sPFBTqOmu+KQYUAQUqLBGBGChCNjTe6tgGzRfd4MBGJQ
IVyUrdDDbF46M06Clmn0CQB7CMI0wlDXhFdVnXA2ke7DLSFw51qTD7Bpt9PNm6rT
mzIgiRGB58SHrdi4unYWFdrj72VlRpxtNJxo0bRFo7yNG5JkPIsHoNllR9H8+fgb
HsAQPXQPKcR7YPQv/gp/iZqe8/aIlMPi+dR7SWl2itRC0h8PHmGMhDKgzlMUs5ph
BPGcy3soKCqOxlP4w4q8LfsxHqBXkdN2T/mjSOYxNEx97s7KxtHRR5HrYj/Lyh+s
YhhGVB61xCkFYYJnrs5aPu81FIiF5P5t1bkeU7krjbzVhHe4SjH095/WBGgpgpHJ
yP8XTI2nACoXRduabWoxOIxTXDAZ9CeqSACs6Fz7aTY2qkgjQU9a473Zf/tQRM1f
/p6nxIp4f5KfEJUY/lPva7sStmnng2BdfFVZXFFrTyfIYNp6V3XibT/WG+CXdjz4
BNxVtvQgP3dqJaBeQKk8JVt9bKfnwhzWIi4h3u2Elezdcnx9itvrKNLFQJgJdh6J
geukPsIEcSGfYXa8/F9R7kl64fOLuHll8h+NiNG480orFR/IdlKGfFsJDEpQnxnT
vi5Hl0n7beJ2CXB3Dne1
=hclh
-----END PGP SIGNATURE-----

-- 
To unsubscribe e-mail to: users+unsubscribe@global.libreoffice.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted

Context


Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.