incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From drew <d...@baseanswers.com>
Subject RE: Install configuration management
Date Fri, 18 Nov 2011 20:36:58 GMT
On Fri, 2011-11-18 at 12:07 -0800, Dennis E. Hamilton wrote:
> When the download and execution is *performed* by Apache OpenOffice, the vulnerability
is now ours.  That needs to be obvious too.

Howdy,

Just a quick aside here - the idea of organizations using local
extension and template repositories isn't completely out of the blue -
as I recall there where a couple of school systems in the US that did
just this and I a corporation in Japan...I'll try to find my old notes
on that and pass along what I have, if I still have it.

Thanks

Drew Jensen

> 
> -----Original Message-----
> From: Rob Weir [mailto:robweir@apache.org] 
> Sent: Friday, November 18, 2011 11:58
> To: ooo-dev@incubator.apache.org
> Subject: Re: Install configuration management
> 
> On Fri, Nov 18, 2011 at 2:11 PM, Dennis E. Hamilton
> <dennis.hamilton@acm.org> wrote:
> > I think this is all very interesting.
> >
> > I want to point out that any situation where code is downloaded for execution under
the user's privileges while running Apache OpenOffice is an avenue for attack by injection
of malicious code and also data mining the user account.
> >
> 
> I want to point out that any situation where code is downloaded for
> execution under the user's privileges while *not running* Apache
> OpenOffice is *also* an avenue for attack by injection of malicious
> code and also data mining the user account.
> 
> This is just stating the obvious in too many words.
> 
> -Rob
> 
> 



Mime
View raw message