On Wed, 2006-08-16 at 08:47 -0400, Chad Smith wrote: > On 8/16/06, Ian Lynch <[EMAIL PROTECTED]> wrote: > > > > > > > The problem is that this is fundamentaly untrue. > > > > You mean its fundamentally untrue that I have never inadvertently > > installed a virus? I can assure you it isn't. You mean its fundamentally > > untrue that I have to put in the root password before doing potentially > > dangerous operations eg installing something that could be a virus? I > > assure you it isn't. You mean I don't have a virus free Ubuntu system > > without any anti-virus software? I assure it isn't. My XP laptop > > connected to the same broadband internet is also virus free but > > protected by anti-virus software which I do not have the confidence to > > remove to see how long it will last without getting infected and while I > > am careful with E-mail attachments it would be relatively easier to > > install a virus on my XP machine than on my Linux one. > > Remember, we are talking about OpenOffice.org - not Linux.
I was referring to the comment about what I said which was about e-mail attachments and how easy they might be to install. That involves potentially the mail client, the operating system and the software that originated the attachment. > Remember, the > problem that he article brings up about OpenOffice.org is that macros, which > can be set up to activate merely by opening a document, can control your > system. They can if your system security lets them. If OOo has a bug that lets Macros run without informing the user that is definitely a vulnerability and nothing to do with the OS. However usually such things will get fixed pretty quickly and wel before they become a practical risk. If such a hole gets closed pretty quickly the virus would have a very short proliferation half-life and therefore why bother coding it in the first place? OTOH, if I can simply run any old program without even being asked as a fundamental feature of the system, its much less likely to get universally fixed any time soon. That would give a virus writer a much bigger incentive to do the coding. So theoretical risk and practical risk are not the same. The degree of risk is important, not just whether there is any risk at all. > Now, I'll admit it's been a couple months since I've used OpenOffice.org on > Linux (I use OOo on Windows, NeoOffice on Mac primarily), but I don't recall > having to enter in a root password to open a document. Please correct me if > I'm wrong on that. Presumably a macro virus that was going to do any damage would have to be allowed to operate as an extension to OOo. So its really down to OOo as to whether it let's that happen once you have authorised OOo to be installed and run. > If malicious code can be executed merely by opening a document - that's a > problem. I agree. That is why OOo should not allow macros to run without first warning the user. Neither should MSO or any other program. > People in this thread have said that if you open a document from an unknown > source, you deserve whatever happens to you. Well given the publicity about viruses propagated in this way I have some sympathy but it makes sense in any case to make it difficult for such actions to do any harm. That's all I'm saying. > People have said that it's a > fundamental security practice and common sense not to open a document from > someone you don't know. "Don't take data from strangers" kind of thing. > > Here's the problem - it's a text file. It's a document. It's words and > pictures. It's not a program. I'm not security expert - but I would have > never thought opening a word processing file could hurt my computer. Well a lot of the Macro viruses in MS Office have done a lot of damage in the recent past so the potential is clearly there. > Especially in Linux or Mac. Especially if the file is in an "open > international ISO format". I don't think the file format has anything to do with it. ODF doesn't describe macros so these are an attribute of the application, in this case OOo. > Apparently, I was wrong. But I'm probably not > the only one who felt safe opening what is the electronic equivalent of a > piece of paper. You are safe if the application is secure and more safe if the application and the operating system are secure and warn you before any unauthorised operations occur. Nothing is ever 100% safe, but some things are a lot less safe than others. Abstinence is the only way of being absolutely safe. Ian -- www.theINGOTS.org www.schoolforge.org.uk www.opendocumentfellowship.org --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
