Re: [marketing] OOo as security upgrade
PS. Also, in the context of *specific* MSO bugs, it can be pointed out that OOo is not affected. OK, there may or may not be other problems, but let's not let the media spin the issue as if MSO was the only product on the market. /Lars - To unsubscribe, e-mail: dev-unsubscr...@marketing.openoffice.org For additional commands, e-mail: dev-h...@marketing.openoffice.org
Re: [marketing] OOo as security upgrade
Malte Timmermann wrote: > some people already commented on this while I was on vacation, and > especially Thorsten Behrens already made clear that OOo is not free from > such issues. Welcome back. > OOo was already quite often affected by file format issues, see > http://www.openoffice.org/security/bulletin.html Those are rather severe. However, there still can be an advantage using OOo rather than MSO. If OOo is an *improvement* over MSO, security-wise, then that's enough. /Lars - To unsubscribe, e-mail: dev-unsubscr...@marketing.openoffice.org For additional commands, e-mail: dev-h...@marketing.openoffice.org
Re: [marketing] OOo as security upgrade
> The SEC reports on applications show that OpenOffice.org has around 10% of > security flaws compared to MS Office This just means that people concentrate on finding issues within MS Office, not within OOo. It doesn't mean that OOo only has 10% of the amount of issues as MS Office has. So this is nothing for any kind of pro OOo PR. Malte. Alexandro Colorado wrote, On 08/13/09 00:37: > The SEC reports on applications show that OpenOffice.org has around 10% of > security flaws compared to MS Office. I do wonder if this is true or the > SEC dont take account other issues. > > > On Tue, 11 Aug 2009 07:17:28 -0500, Malte Timmermann > wrote: > >> Hi, >> >> some people already commented on this while I was on vacation, and >> especially Thorsten Behrens already made clear that OOo is not free from >> such issues. >> >> OOo was already quite often affected by file format issues, see >> http://www.openoffice.org/security/bulletin.html. >> >> And it's not only about binary documents, as you can see in >> http://www.openoffice.org/security/cves/CVE-2006-3117.html. >> >> Malte. >> >> http://security.openoffice.org/ >> >> >> Alexandro Colorado wrote, On 07/27/09 11:28: >>> On Mon, Jul 27, 2009 at 11:22 AM, Lars >>> Nooden wrote: MS Office is beyond repair: http://www.computerworld.com/s/article/9135852/Microsoft_admits_it_can_t_stop_Office_file_format_hacks A stop-gap measure even for M$ shops would be to install OOo along side, quickly, and use that whenever possible. -Lars >>> yes this is very important, I would propose structuring a PR campaign >>> in favor of office suite security. >>> Something like... >>> >>> Are your documents in danger? Using insecure software might harm your >>> document, your information and your assets. >>> >>> I would also list the very very broken history of Microsoft Office >>> security issues. M$O is full of security issues through the years and >>> also going into analysing how M$O vulnerability can harm your >>> documents. Simply having an embedded application with the OS causes >>> spywares to cross from the internet to the office suite. Get hit on IE >>> and you get hit on Office too. >>> >>> >>> >> - >> To unsubscribe, e-mail: dev-unsubscr...@marketing.openoffice.org >> For additional commands, e-mail: dev-h...@marketing.openoffice.org >> > > > - To unsubscribe, e-mail: dev-unsubscr...@marketing.openoffice.org For additional commands, e-mail: dev-h...@marketing.openoffice.org
Re: [marketing] OOo as security upgrade
The SEC reports on applications show that OpenOffice.org has around 10% of security flaws compared to MS Office. I do wonder if this is true or the SEC dont take account other issues. On Tue, 11 Aug 2009 07:17:28 -0500, Malte Timmermann wrote: Hi, some people already commented on this while I was on vacation, and especially Thorsten Behrens already made clear that OOo is not free from such issues. OOo was already quite often affected by file format issues, see http://www.openoffice.org/security/bulletin.html. And it's not only about binary documents, as you can see in http://www.openoffice.org/security/cves/CVE-2006-3117.html. Malte. http://security.openoffice.org/ Alexandro Colorado wrote, On 07/27/09 11:28: On Mon, Jul 27, 2009 at 11:22 AM, Lars Nooden wrote: MS Office is beyond repair: http://www.computerworld.com/s/article/9135852/Microsoft_admits_it_can_t_stop_Office_file_format_hacks A stop-gap measure even for M$ shops would be to install OOo along side, quickly, and use that whenever possible. -Lars yes this is very important, I would propose structuring a PR campaign in favor of office suite security. Something like... Are your documents in danger? Using insecure software might harm your document, your information and your assets. I would also list the very very broken history of Microsoft Office security issues. M$O is full of security issues through the years and also going into analysing how M$O vulnerability can harm your documents. Simply having an embedded application with the OS causes spywares to cross from the internet to the office suite. Get hit on IE and you get hit on Office too. - To unsubscribe, e-mail: dev-unsubscr...@marketing.openoffice.org For additional commands, e-mail: dev-h...@marketing.openoffice.org -- Alexandro Colorado CoLeader of OpenOffice.org ES http://es.openoffice.org - To unsubscribe, e-mail: dev-unsubscr...@marketing.openoffice.org For additional commands, e-mail: dev-h...@marketing.openoffice.org
Re: [marketing] OOo as security upgrade
Hi, some people already commented on this while I was on vacation, and especially Thorsten Behrens already made clear that OOo is not free from such issues. OOo was already quite often affected by file format issues, see http://www.openoffice.org/security/bulletin.html. And it's not only about binary documents, as you can see in http://www.openoffice.org/security/cves/CVE-2006-3117.html. Malte. http://security.openoffice.org/ Alexandro Colorado wrote, On 07/27/09 11:28: > On Mon, Jul 27, 2009 at 11:22 AM, Lars Nooden > wrote: >> MS Office is beyond repair: >> http://www.computerworld.com/s/article/9135852/Microsoft_admits_it_can_t_stop_Office_file_format_hacks >> >> A stop-gap measure even for M$ shops would be to install OOo along side, >> quickly, and use that whenever possible. >> >> -Lars > > yes this is very important, I would propose structuring a PR campaign > in favor of office suite security. > Something like... > > Are your documents in danger? Using insecure software might harm your > document, your information and your assets. > > I would also list the very very broken history of Microsoft Office > security issues. M$O is full of security issues through the years and > also going into analysing how M$O vulnerability can harm your > documents. Simply having an embedded application with the OS causes > spywares to cross from the internet to the office suite. Get hit on IE > and you get hit on Office too. > > > - To unsubscribe, e-mail: dev-unsubscr...@marketing.openoffice.org For additional commands, e-mail: dev-h...@marketing.openoffice.org
Re: [marketing] OOo as security upgrade
Thorsten Behrens írta: > Lars Nooden wrote: > >>> ... we use the same underlying technology >>> (binary file formats, with c/c++ code handling it)... >>> >> Ok. How about the non-binary formats, i.e. ODF? >> > That can carry OLE containers for the very MS binary formats; plus > all those binary image files (WMF/EMF & SVM are a bit notorious; but > png & jpeg also had their issues in the past...) > Not to mention that OOo is compiled with MSVC++ on Windows, so the holes embedded directly by the compiler are likely to be the same. Regards, Gergely - To unsubscribe, e-mail: dev-unsubscr...@marketing.openoffice.org For additional commands, e-mail: dev-h...@marketing.openoffice.org
Re: [marketing] OOo as security upgrade
Lars Nooden wrote: > > ... we use the same underlying technology > > (binary file formats, with c/c++ code handling it)... > > Ok. How about the non-binary formats, i.e. ODF? > That can carry OLE containers for the very MS binary formats; plus all those binary image files (WMF/EMF & SVM are a bit notorious; but png & jpeg also had their issues in the past...) Cheers, -- Thorsten signature.asc Description: Digital signature
Re: [marketing] OOo as security upgrade
I am not sure what is wrong with you people and why I received 32 FUCKING EMAILS in my inbox, or why when I respond to this it gets sent right back - YOU STILL HAVE NOT ADDRESSED MY GODDAMN PROBLEM --- On Mon, 7/27/09, Alexandro Colorado wrote: From: Alexandro Colorado Subject: Re: [marketing] OOo as security upgrade To: dev@marketing.openoffice.org Received: Monday, July 27, 2009, 3:01 PM On Mon, Jul 27, 2009 at 7:00 AM, Lars Nooden wrote: > Thorsten Behrens wrote: > > ... we use the same underlying technology > > (binary file formats, with c/c++ code handling it)... > > Ok. How about the non-binary formats, i.e. ODF? There is a binary encapsulation of ODF in OOo, and I guess that exploiting other parts of OOo could provide aditional security holes. For example, who apply the security patches on the embeded python libraries of OOo? > > > -Lars > > - > To unsubscribe, e-mail: dev-unsubscr...@marketing.openoffice.org > For additional commands, e-mail: dev-h...@marketing.openoffice.org > > -- Alexandro Colorado OpenOffice.org Español IM: j...@jabber.org __ Yahoo! Canada Toolbar: Search from anywhere on the web, and bookmark your favourite sites. Download it now http://ca.toolbar.yahoo.com.
Re: [marketing] OOo as security upgrade
On Mon, Jul 27, 2009 at 7:00 AM, Lars Nooden wrote: > Thorsten Behrens wrote: > > ... we use the same underlying technology > > (binary file formats, with c/c++ code handling it)... > > Ok. How about the non-binary formats, i.e. ODF? There is a binary encapsulation of ODF in OOo, and I guess that exploiting other parts of OOo could provide aditional security holes. For example, who apply the security patches on the embeded python libraries of OOo? > > > -Lars > > - > To unsubscribe, e-mail: dev-unsubscr...@marketing.openoffice.org > For additional commands, e-mail: dev-h...@marketing.openoffice.org > > -- Alexandro Colorado OpenOffice.org Español IM: j...@jabber.org
Re: [marketing] OOo as security upgrade
Thorsten Behrens wrote: > ... we use the same underlying technology > (binary file formats, with c/c++ code handling it)... Ok. How about the non-binary formats, i.e. ODF? -Lars - To unsubscribe, e-mail: dev-unsubscr...@marketing.openoffice.org For additional commands, e-mail: dev-h...@marketing.openoffice.org
Re: [marketing] OOo as security upgrade
Cor Nouws wrote: > Remark: IMO any publicity around vulnerability must be very well > prepared with our developers that handle security. We must prevent to > accidentally claim something that is not true. > Hi Cor, all, indeed - and in fact we suffer from exactly the same problems as MS does, quite simply because we use the same underlying technology (binary file formats, with c/c++ code handling it). One should not mistake limited exposure with necessarily better security... Cheers, -- Thorsten signature.asc Description: Digital signature
Re: [marketing] OOo as security upgrade
Alexandro Colorado wrote: > ... Are your documents in danger? ... The format lock-in is another area of danger. MS broken competitor to the Sun ODF plug-in adds to that realized data loss. Regards -Lars - To unsubscribe, e-mail: dev-unsubscr...@marketing.openoffice.org For additional commands, e-mail: dev-h...@marketing.openoffice.org
Re: [marketing] OOo as security upgrade
Cor Nouws wrote: Alexandro Colorado wrote (27-7-2009 11:28) yes this is very important, I would propose structuring a PR campaign in favor of office suite security. Would be good - apart from the question who is going to do that (see the speed at which the internship program progresses ..) Remark: IMO any publicity around vulnerability must be very well prepared with our developers that handle security. We must prevent to accidentally claim something that is not true. well remarked Cor, it is very important to be serious and well prepared here. We can even lose with such a campaign that is not well prepared. Security problems are always somewhat on the radar of people ... Juergen Something like... Are your documents in danger? Using insecure software might harm your document, your information and your assets. I would also list the very very broken history of Microsoft Office security issues. M$O is full of security issues through the years and also going into analysing how M$O vulnerability can harm your documents. Simply having an embedded application with the OS causes spywares to cross from the internet to the office suite. Get hit on IE and you get hit on Office too. Cor - To unsubscribe, e-mail: dev-unsubscr...@marketing.openoffice.org For additional commands, e-mail: dev-h...@marketing.openoffice.org
Re: [marketing] OOo as security upgrade
Alexandro Colorado wrote (27-7-2009 11:28) yes this is very important, I would propose structuring a PR campaign in favor of office suite security. Would be good - apart from the question who is going to do that (see the speed at which the internship program progresses ..) Remark: IMO any publicity around vulnerability must be very well prepared with our developers that handle security. We must prevent to accidentally claim something that is not true. Something like... Are your documents in danger? Using insecure software might harm your document, your information and your assets. I would also list the very very broken history of Microsoft Office security issues. M$O is full of security issues through the years and also going into analysing how M$O vulnerability can harm your documents. Simply having an embedded application with the OS causes spywares to cross from the internet to the office suite. Get hit on IE and you get hit on Office too. Cor -- Cor Nouws - nl.OpenOffice.org marketing contact Ontwikkelaar? Join! http://council.openoffice.org/developers.html Gevoel niet vrij te zijn? Zie www.nieuwsteversie.nl - To unsubscribe, e-mail: dev-unsubscr...@marketing.openoffice.org For additional commands, e-mail: dev-h...@marketing.openoffice.org
Re: [marketing] OOo as security upgrade
Lars Nooden wrote (27-7-2009 11:22) MS Office is beyond repair: http://www.computerworld.com/s/article/9135852/Microsoft_admits_it_can_t_stop_Office_file_format_hacks A stop-gap measure even for M$ shops would be to install OOo along side, quickly, and use that whenever possible. Great humor Lars ;-) I read "Office File Validation, meanwhile, is a system that validates older, pre-XML file formats for Word, Excel and PowerPoint, then blocks those that don't conform to the documented format." So I see the danger of extra work for our filter-developers :-\ Cor -- Cor Nouws - nl.OpenOffice.org marketing contact Ontwikkelaar? Join! http://council.openoffice.org/developers.html Gevoel niet vrij te zijn? Zie www.nieuwsteversie.nl - To unsubscribe, e-mail: dev-unsubscr...@marketing.openoffice.org For additional commands, e-mail: dev-h...@marketing.openoffice.org
Re: [marketing] OOo as security upgrade
On Mon, Jul 27, 2009 at 11:22 AM, Lars Nooden wrote: > MS Office is beyond repair: > http://www.computerworld.com/s/article/9135852/Microsoft_admits_it_can_t_stop_Office_file_format_hacks > > A stop-gap measure even for M$ shops would be to install OOo along side, > quickly, and use that whenever possible. > > -Lars yes this is very important, I would propose structuring a PR campaign in favor of office suite security. Something like... Are your documents in danger? Using insecure software might harm your document, your information and your assets. I would also list the very very broken history of Microsoft Office security issues. M$O is full of security issues through the years and also going into analysing how M$O vulnerability can harm your documents. Simply having an embedded application with the OS causes spywares to cross from the internet to the office suite. Get hit on IE and you get hit on Office too. -- Alexandro Colorado OpenOffice.org Español IM: j...@jabber.org - To unsubscribe, e-mail: dev-unsubscr...@marketing.openoffice.org For additional commands, e-mail: dev-h...@marketing.openoffice.org
