From Apache OpenOffice Wiki
Jump to: navigation, search
OOo Marketing Project

Please view the guidelines
before contributing.



Strategic Marketing Plan Pages:


Draft of points in and concerning the misuse of the [French Ministry of Defence's Report on OpenOffice] which has been used in a recent FUD campaign.

some of the vulnerabilities were fixed before the even the MoD's draft was ready, short turn around time for F/OSS patches (note: MS tries to cook the numbers on this by confusing the dates. date vulnerability implemented, date vulnerability found by black hats, by white hats, reported, admitted by vendor, patch announced, patch issued, working patch issued)

The flaw won't run under the default security mode of OOo, it won't.

Below are items ripped from the discussion list and worth smoothing into this document

from Sophie: Malte has make a comment on their first meeting on his blog :

from Erwin

  • Yes, ZIP and XML are open techniques which make it easy for someone
 to include malicious elements. However, the transparent nature of
 these technologies also make it easy to detect malicious elements.
 It's like with open source in general. Yes, on the one hand the
 availability of source code makes it easier to identify and exploit
 security holes. However, for the same reasons issues can be
 identified and fixed faster.
  • Mr. Filiol was impressed by the fast response from the
 including Sun Microsystems. There is a very positive quote in the
  • We're happy about the external security audits by organizations like
 the ESAT, because the feedback helps to develop a very secure office
 productivity solution.
  • Due to the availability of the source code, companies and government
 organizations can help developing new security features and concepts.

from jonathon

OK, lets go back to that proof of concept virus.

  • The end user has to obtain the document from an unknown source.
  • The user has to put that document into a directory which automatically

gives macros permission to run;

  • They have to have changed the default security setting to "Low";
  • They have to open the document;
  • There platform must contain either _no_ firewall, or one that does not

block any outgoing processes, and also does not block programmes from opening other programmes;

The "Security flaws" that the French DOD is concerned about exist only when the user changes the defaults.

Personal tools