Thought you might want to check this out. I don't remember seeing this on
any of the lists.
http://digg.com/security/OpenOffice_org_Security_Is_Insufficient
---
"OpenOffice.org Security Is Insufficient..."
"With Microsoft Corp.'s Office suite now being targeted by hackers,
researchers at the Fre
Chad wrote:
Thought you might want to check this out. I don't remember seeing this on
any of the lists.
The initial announcement was a couple of weeks ago. The most recent
gives a list of "security flaws" in OOo on _Windows_.
People who practice "safe computing" don't have anything to wor
Its a little unclear from the article, but are they saying that the
"maliciously encoded macros and templates" are M$ formatted files or
ODF formatted files (using OOo owns macro language)... And what does
"compromise systems running the open-source software" - are we talking
taking over admin pri
Paul wrote:
On 8/15/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
Chad wrote:
> Thought you might want to check this out. I don't remember seeing
this on
> any of the lists.
The initial announcement was a couple of weeks ago. The most recent
gives a list of "security flaws" in OOo on
On 8/14/06, Paul <[EMAIL PROTECTED]> wrote:
I still think, as I did last time there was a security "scare" with
OOo, that if you open documents from unknown sources and let all the
macro's run unhindered then you deserve what you get...
That is not an attitude that is going to make OpenOffice
On Mon, 2006-08-14 at 17:21 -0400, Chad Smith wrote:
> On 8/14/06, Paul <[EMAIL PROTECTED]> wrote:
>
> > I still think, as I did last time there was a security "scare" with
> > OOo, that if you open documents from unknown sources and let all the
> > macro's run unhindered then you deserve what you
On 8/14/06, Ian Lynch <[EMAIL PROTECTED]> wrote:
But with freedom comes a cost. You can lock stuff down to be almost
unusable or you can give leeway and flexibility but with some risk. The
key is in the balance. You will never get 100% secure and 100% flexible.
I didn't say anything about ho
I didn't say anything about how to make OOo more secure - I was just
commenting on the attitude that if you mess up your computer by opening a
malacious document in OpenOffice.org, then you deserve whatever damage you
get. That's a horrible attitude, and that's no way to get people to use
OOo.
Chad wrote:
commenting on the attitude that if you mess up your computer by opening a
malacious document in OpenOffice.org, then you deserve whatever damage you
The point is that for the last thirty years, _every_ security expert has
said "do not run software from unknown sources".
For at
On Tue, 15 Aug 2006, discuss@openoffice.org wrote:
For at least the last ten years, security experts have also said "do not open
documents from unknown sources".
Bzzzt. Thanks for playing. Statements like that would disqualify the
speaker from being any kind of security expert: Malware is on
On Mon, 2006-08-14 at 17:43 -0400, Chad Smith wrote:
> On 8/14/06, Ian Lynch <[EMAIL PROTECTED]> wrote:
> >
> >
> > But with freedom comes a cost. You can lock stuff down to be almost
> > unusable or you can give leeway and flexibility but with some risk. The
> > key is in the balance. You will nev
On Tue, 2006-08-15 at 01:05 +, discuss@openoffice.org wrote:
>
> I'll leave it as an exercise for you to figure out what "safe computing"
> means, in that context.
Like safe sex, never connect and exchange data with an unknown
source ;-)
Ian
--
www.theINGOTS.org
www.schoolforge.org.uk
www
--- Ian Lynch <[EMAIL PROTECTED]> wrote:
> On Mon, 2006-08-14 at 17:43 -0400, Chad Smith wrote:
> > On 8/14/06, Ian Lynch <[EMAIL PROTECTED]> wrote:
> > >
> > >
> > > But with freedom comes a cost. You can lock stuff down to be almost
> > > unusable or you can give leeway and flexibility but with
--- Paul <[EMAIL PROTECTED]> wrote:
>
> I was commenting on the fact that it is widely known (regardless of
> office suite used) that opening attachments from _unknown sources_ is
> something you do not do.
>
And how is the user going to differentiate a well composed document that
appears to
c
On 8/15/06, Sander Vesik <[EMAIL PROTECTED]> wrote:
> If you nurse maid one set of people you irritate another. There is no
> perfect solution, that's all. As for marketing and pr, there are other
> lists for those discussions.
>
You can always make the default secure - and include a big red b
On 8/15/06, Sander Vesik <[EMAIL PROTECTED]> wrote:
And how is the user going to differentiate a well composed document that
appears to
come from an unknown and malicious source from one cominhg from a known
source?
Pityfully small amount of mail saystems have any serious anti-forgery
facilitie
Sander wrote:
And how is the user going to differentiate a well composed document that
appears to
come from an unknown and malicious source from one coming from a known source?
i) Call everything from AOL, MSN, Yahoo, Hotmail, Juno, and two or three
other domains hostile documents.
ii) Che
On Tue, 2006-08-15 at 19:30 +, [EMAIL PROTECTED] wrote:
> Sander wrote:
>
> > And how is the user going to differentiate a well composed document that
> > appears to
> > come from an unknown and malicious source from one coming from a known
> > source?
>
> i) Call everything from AOL, MSN,
--- Ian Lynch <[EMAIL PROTECTED]> wrote:
> On Tue, 2006-08-15 at 19:30 +, [EMAIL PROTECTED] wrote:
> > Sander wrote:
> >
> > > And how is the user going to differentiate a well composed document that
> appears to
> > > come from an unknown and malicious source from one coming from a known
>
On Tue, 2006-08-15 at 23:27 +0100, Sander Vesik wrote:
> --- Ian Lynch <[EMAIL PROTECTED]> wrote:
> > In practice I have never inadvertently installed a virus even though I
> > get a lot of mail including quite a lot of spam. I have on occasion
> > deleted a good mail I shouldn't have. It seems pr
On 8/16/06, Ian Lynch <[EMAIL PROTECTED]> wrote:
> The problem is that this is fundamentaly untrue.
You mean its fundamentally untrue that I have never inadvertently
installed a virus? I can assure you it isn't. You mean its fundamentally
untrue that I have to put in the root password before d
On Wed, 2006-08-16 at 08:47 -0400, Chad Smith wrote:
> On 8/16/06, Ian Lynch <[EMAIL PROTECTED]> wrote:
> >
> >
> > > The problem is that this is fundamentaly untrue.
> >
> > You mean its fundamentally untrue that I have never inadvertently
> > installed a virus? I can assure you it isn't. You mean
Chad wrote:
> Remember, we are talking about OpenOffice.org - not Linux. Remember, the
> problem that he article brings up about OpenOffice.org is that macros,
> which can be set up to activate merely by opening a document, can control your
> system.
OK, lets go back to that proof of concept vir
On 8/16/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
* The end user has to obtain the document from an unknown source.
Why does it have to be from an unknown source? I mean, does the virus
somehow not work if I get it from my best friend?
* The user has to put that document into a dir
On Wed, 16 Aug 2006 16:09:47 +
[EMAIL PROTECTED] wrote:
> Chad wrote:
>
> > Remember, we are talking about OpenOffice.org - not Linux. Remember, the
> > problem that he article brings up about OpenOffice.org is that macros,
> > which can be set up to activate merely by opening a document, ca
On Wed, 2006-08-16 at 12:26 -0400, Chad Smith wrote:
> On 8/16/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> >
> >
> > * The end user has to obtain the document from an unknown source.
>
>
> Why does it have to be from an unknown source? I mean, does the virus
> somehow not work if I get it
Chad Smith wrote:
> Remember, we are talking about OpenOffice.org - not Linux. Remember, the
> problem that he article brings up about OpenOffice.org is that macros,
> which
> can be set up to activate merely by opening a document, can control your
> system.
CAN BE set up to automatically run ma
Listen you arrogant jerk - you need to get over *yourself*.
I merely submitted an article - an article that I didn't write - an article
reporting on the findings of a governmental official from France - I'm not a
governmental offical, and I'm not from France.
I do not use scripting - I've never
--- Folderol <[EMAIL PROTECTED]> wrote:
>
> maybe I'm missing something, but surely all this would only have user
> privileges unless you had specifically opened OO as root, so surely
> damage would be limited to the users directory.
>
Root permission is not needed for a worm to distribute its
--- Ian Lynch <[EMAIL PROTECTED]> wrote:
> On Wed, 2006-08-16 at 12:26 -0400, Chad Smith wrote:
> > On 8/16/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> > >
> > >
> > > * The end user has to obtain the document from an unknown source.
> >
> >
> > Why does it have to be from an unknown sou
--- Ian Lynch <[EMAIL PROTECTED]> wrote:
> They can if your system security lets them. If OOo has a bug that lets
> Macros run without informing the user that is definitely a vulnerability
> and nothing to do with the OS. However usually such things will get
> fixed pretty quickly and wel before
--- Daniel Kasak <[EMAIL PROTECTED]> wrote:
> Chad Smith wrote:
>
> > Remember, we are talking about OpenOffice.org - not Linux. Remember, the
> > problem that he article brings up about OpenOffice.org is that macros,
> > which
> > can be set up to activate merely by opening a document, can con
Chad Smith wrote:
> Listen you arrogant jerk - you need to get over *yourself*.
Oh really? That's pretty rich :)
> And, why, exactly, would I have to enter a password to open a document
> if it
> is my document? In other words if someone emailed me a malicious
> macro'ed
> document, why would
On Thu, 2006-08-17 at 01:05 +0100, Sander Vesik wrote:
> --- Ian Lynch <[EMAIL PROTECTED]> wrote:
>
> > On Wed, 2006-08-16 at 12:26 -0400, Chad Smith wrote:
> > > On 8/16/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> > > >
> > > >
> > > > * The end user has to obtain the document from an unkn
On Thu, 2006-08-17 at 01:35 +0100, Sander Vesik wrote:
> --- Ian Lynch <[EMAIL PROTECTED]> wrote:
>
> > They can if your system security lets them. If OOo has a bug that lets
> > Macros run without informing the user that is definitely a vulnerability
> > and nothing to do with the OS. However usu
35 matches
Mail list logo
