openoffice-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <dennis.hamil...@acm.org>
Subject RE: Cross Script vulnerabilities in AOo Extensions?
Date Thu, 07 Apr 2016 16:35:45 GMT
Toki, thanks for your useful question.

Here are some factors to consider.

 1. The Apache OpenOffice project does not vet or review extensions and templates that are
produced by third parties and downloadable from the SourceForge extension and template collections.
 These are all "at your own risk." 

 2. To the extent that extensions and templates operate at the privilege level of the OpenOffice
user, it is possible for extension code to accomplish malicious purposes.

 3. There is no sandbox for the operation of extensions generally: access to the internet,
the desktop platform, and file systems are not constrained.
 
Basically, it does not require anything so elaborate as the bypassing of FireFox add-on protection
described in the Ars Technica article.  Multi-component collaborative exploit staging is possible
although unnecessary.

Part of the problem is that the extension format goes back to OpenOffice.org 1.x and a simpler
world.  

There is also complacency and mythology about OpenOffice not being vulnerable to some of the
difficulties that arose in Microsoft Office software of the same and earlier eras.  It could
be more the case that exploit perpetrators prefer to go where the most victims are to be found.
 That does not mean other low-hanging fruit escapes attention, as we now know for Linux, Apple,
Android, and other products.  

An upgrade of the extension packaging could provide some auditability.  Perhaps the most important
upgrade, using a form of ODF 1.2 packaging, would be use of digital signatures to provide
a level of authentication on the extension/template source and allow detection of modifications
or counterfeits.

Other kinds of auditing and forensic analysis require better computer-based tools.  Those
are lacking generally, not just for extension packages.

This is one of those situations where defenses require considerable more effort than attacking,
although skill is required for an exploit to go undetected.

No concerted effort on this area is foreseen at this time.  

 - Dennis  



> -----Original Message-----
> From: toki [mailto:toki.kantoor@gmail.com]
> Sent: Thursday, April 7, 2016 03:45
> To: dev@openoffice.apache.org
> Subject: Cross Script vulnerabilities in AOo Extensions?
> 
> All:
> 
> In reading
> http://arstechnica.com/security/2016/04/noscript-and-other-popular-
> firefox-add-ons-open-millions-to-new-attack/
> is the same type of vulnerability is possible with AOo extensions?
> 
> jonathon
> 



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org


Mime
View raw message