Re: [libreoffice-users] Shouldn't it be more secure to by default disable macro support in LibreOffice?

Hi :)
I think the LibreOffice macros system is more secure by design.

I think it's fair to assume that if LO/AOO have a certain percentage
of market-share then we could expect roughly that percentage of
exploits.  That doesn't seem to be happening though.

Ok, so you could say that it might be better for malware writers to
only aim at the most used office suite and ignore the rest even if
they have a sizeable percentage of market-share.  However, once a
macro is written surely it's not immensely difficult to edit it to
work in a different program?

That doesn't often work either though because the malware written for
MS Office relies on specialist knowledge of the flaws in MS Office.
LO/AOO simply don't have the same flaws and vulnerabilities.

The top priority of LO/AOO is (are?) radically different from the top
priority of MS Office.  Microsoft's primary goal, as a profit-making
company, is to generate profits.  They have shareholders who are
concerned about the profitability of the company and on the yield
returned on the value of their shares.  LO and AOO have none of that.

Also the way of working is entirely different.  With MS each dev is
shielded "from knowing too much" about the bigger picture and from
knowing too much code around the specific area they are working on.
Industrial espionage is a major concern.  Also once code is written
very few people are going to see it.  The emphasis is on the code
doing the job and on being written fast enough.  Devs toil in
obscurity and they can't show a portfolio of their work or hold up
examples to a future employer to show off how good they are.

With LO and AOO any elegant code is much admired and wins respect and
starts to attract a fan-base.  The other way around is that kludgy
code is an embarrassment to the dev and is likely to be seen by lots
of peers.  In LO and AOO the devs are like Gods of Rock or celebrities
and can show off their work.

Also MS has teams of people whose sole job is to take a list of
problems that other people have found and then decide which are worth
fixing and which they think MS can get away with not fixing.  By
contrast in LO and AOO tons of people gripe about the tiniest thing
and wont let it go until it's been fixed.

So we tend to find the LO and AOO simply don't have as many
vulnerabilities and problems.  It's difficult for anyone to find any
flaws that can be exploited by writing some nasty macro.

Regards from
Tom :)






On 24 January 2015 at 14:04, Thisis theone <thisistheone8888@gmail.com> wrote:
> Hello list,
>
> https://threatpost.com/microsoft-reports-massive-increase-in-macros-enabled-threats/110204
>
> http://blogs.technet.com/b/mmpc/archive/2015/01/02/before-you-enable-those-macros.aspx
>
> We think macros and other rarely used, but high risk features should be
> DISABLED BY DEFAULT in LibreOffice.
>
> What do you think? Is it worth it?
>
> Thanks..
>
> Have a wiser and safer day!
>
> --
> To unsubscribe e-mail to: users+unsubscribe@global.libreoffice.org
> Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
> Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
> List archive: http://listarchives.libreoffice.org/global/users/
> All messages sent to this list will be publicly archived and cannot be deleted

-- 
To unsubscribe e-mail to: users+unsubscribe@global.libreoffice.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted