|OOo Marketing Project
Please view the guidelines
Strategic Marketing Plan Pages:
Draft of points in and concerning the misuse of the [French Ministry of Defence's Report on OpenOffice] which has been used in a recent FUD campaign.
some of the vulnerabilities were fixed before the even the MoD's draft was ready, short turn around time for F/OSS patches (note: MS tries to cook the numbers on this by confusing the dates. date vulnerability implemented, date vulnerability found by black hats, by white hats, reported, admitted by vendor, patch announced, patch issued, working patch issued)
The flaw won't run under the default security mode of OOo, it won't.
Below are items ripped from the discussion list and worth smoothing into this document
from Sophie: Malte has make a comment on their first meeting on his blog : http://blogs.sun.com/roller/page/malte?entry=french_department_of_defense_damns
- Yes, ZIP and XML are open techniques which make it easy for someone
to include malicious elements. However, the transparent nature of these technologies also make it easy to detect malicious elements.
It's like with open source in general. Yes, on the one hand the availability of source code makes it easier to identify and exploit security holes. However, for the same reasons issues can be identified and fixed faster.
- Mr. Filiol was impressed by the fast response from the OpenOffice.org
including Sun Microsystems. There is a very positive quote in the report!
- We're happy about the external security audits by organizations like
the ESAT, because the feedback helps to develop a very secure office productivity solution.
- Due to the availability of the source code, companies and government
organizations can help developing new security features and concepts.
OK, lets go back to that proof of concept virus.
- The end user has to obtain the document from an unknown source.
- The user has to put that document into a directory which automatically
gives macros permission to run;
- They have to have changed the default security setting to "Low";
- They have to open the document;
- There platform must contain either _no_ firewall, or one that does not
block any outgoing processes, and also does not block programmes from opening other programmes;
The "Security flaws" that the French DOD is concerned about exist only when the user changes the defaults.