Return-Path: X-Original-To: apmail-openoffice-dev-archive@www.apache.org Delivered-To: apmail-openoffice-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 0C34B1971A for ; Thu, 7 Apr 2016 16:36:01 +0000 (UTC) Received: (qmail 33649 invoked by uid 500); 7 Apr 2016 16:36:00 -0000 Delivered-To: apmail-openoffice-dev-archive@openoffice.apache.org Received: (qmail 33576 invoked by uid 500); 7 Apr 2016 16:36:00 -0000 Mailing-List: contact dev-help@openoffice.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@openoffice.apache.org Delivered-To: mailing list dev@openoffice.apache.org Received: (qmail 33539 invoked by uid 99); 7 Apr 2016 16:36:00 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 07 Apr 2016 16:36:00 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id E57FB1800EE for ; Thu, 7 Apr 2016 16:35:59 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.971 X-Spam-Level: X-Spam-Status: No, score=0.971 tagged_above=-999 required=6.31 tests=[RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_SOFTFAIL=0.972] autolearn=disabled Received: from mx2-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id rwURhbvojnCU for ; Thu, 7 Apr 2016 16:35:58 +0000 (UTC) Received: from bonobo.tulip.relay.mailchannels.net (bonobo.tulip.relay.mailchannels.net [23.83.218.22]) by mx2-lw-eu.apache.org (ASF Mail Server at mx2-lw-eu.apache.org) with ESMTPS id 1F0EF5F1B3 for ; Thu, 7 Apr 2016 16:35:55 +0000 (UTC) X-Sender-Id: a2hosting|x-authuser|himself@orcmid.com Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id C5345169DF4 for ; Thu, 7 Apr 2016 16:35:46 +0000 (UTC) Received: from a2s42.a2hosting.com (ip-10-123-105-117.us-west-2.compute.internal [10.123.105.117]) by relay.mailchannels.net (Postfix) with ESMTPA id 53E831BC2B8 for ; Thu, 7 Apr 2016 16:35:46 +0000 (UTC) X-Sender-Id: a2hosting|x-authuser|himself@orcmid.com Received: from a2s42.a2hosting.com (a2s42.a2hosting.com [10.134.137.132]) (using TLSv1 with cipher DHE-RSA-AES256-SHA) by 0.0.0.0:2500 (trex/5.6.11); Thu, 07 Apr 2016 16:35:46 +0000 X-MC-Relay: Neutral X-MailChannels-SenderId: a2hosting|x-authuser|himself@orcmid.com X-MailChannels-Auth-Id: a2hosting X-MC-Loop-Signature: 1460046946535:1739609015 X-MC-Ingress-Time: 1460046946535 Received: from 174-21-113-212.tukw.qwest.net ([174.21.113.212]:33407 helo=Astraendo2) by a2s42.a2hosting.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.86_1) (envelope-from ) id 1aoCuG-003e2j-Q6 for dev@openoffice.apache.org; Thu, 07 Apr 2016 12:35:45 -0400 Reply-To: From: "Dennis E. Hamilton" To: References: <57063A33.7040308@gmail.com> In-Reply-To: <57063A33.7040308@gmail.com> Subject: RE: Cross Script vulnerabilities in AOo Extensions? Date: Thu, 7 Apr 2016 09:35:45 -0700 Organization: NuovoDoc Message-ID: <008701d190eb$8ab0ec60$a012c520$@acm.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQHitNBaD/u+4g0Yn1a6S1ieprgKlZ9cVCew Content-Language: en-us X-AuthUser: himself@orcmid.com Toki, thanks for your useful question. Here are some factors to consider. 1. The Apache OpenOffice project does not vet or review extensions and = templates that are produced by third parties and downloadable from the = SourceForge extension and template collections. These are all "at your = own risk."=20 2. To the extent that extensions and templates operate at the privilege = level of the OpenOffice user, it is possible for extension code to = accomplish malicious purposes. 3. There is no sandbox for the operation of extensions generally: = access to the internet, the desktop platform, and file systems are not = constrained. =20 Basically, it does not require anything so elaborate as the bypassing of = FireFox add-on protection described in the Ars Technica article. = Multi-component collaborative exploit staging is possible although = unnecessary. Part of the problem is that the extension format goes back to = OpenOffice.org 1.x and a simpler world. =20 There is also complacency and mythology about OpenOffice not being = vulnerable to some of the difficulties that arose in Microsoft Office = software of the same and earlier eras. It could be more the case that = exploit perpetrators prefer to go where the most victims are to be = found. That does not mean other low-hanging fruit escapes attention, as = we now know for Linux, Apple, Android, and other products. =20 An upgrade of the extension packaging could provide some auditability. = Perhaps the most important upgrade, using a form of ODF 1.2 packaging, = would be use of digital signatures to provide a level of authentication = on the extension/template source and allow detection of modifications or = counterfeits. Other kinds of auditing and forensic analysis require better = computer-based tools. Those are lacking generally, not just for = extension packages. This is one of those situations where defenses require considerable more = effort than attacking, although skill is required for an exploit to go = undetected. No concerted effort on this area is foreseen at this time. =20 - Dennis =20 > -----Original Message----- > From: toki [mailto:toki.kantoor@gmail.com] > Sent: Thursday, April 7, 2016 03:45 > To: dev@openoffice.apache.org > Subject: Cross Script vulnerabilities in AOo Extensions? >=20 > All: >=20 > In reading > http://arstechnica.com/security/2016/04/noscript-and-other-popular- > firefox-add-ons-open-millions-to-new-attack/ > is the same type of vulnerability is possible with AOo extensions? >=20 > jonathon >=20 --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org For additional commands, e-mail: dev-help@openoffice.apache.org