Thursday, October 25, 2007

OpenOffice Security: Where Security gets lost in a Forest of Features

Well... some time ago I took a look at the OpenOffice (OOo) file-format (ODF) and the features OOo provides.

I stumbled about some things that I want to describe here in the next days or weeks.

OOo is a good example of the old fight Features vs. Security and in this case Security has lost.

You might ask: "Why doesn't he tell the OOo developers to get this stuff fixed?" Well there are no bugs just features. They can only be removed or restricted... so it's not a technical problem to address here. I think it is better to increase the awareness of the users because these attacks come together with social engineering and user-assistence.

Some of you prefer OOo over of MS Office because MS Office had a lot of security problems in the past. And yes, OOo denys the execution of Macro code by default; and yes, various security vulnerabilities (see Mitre's CVE database) in OOo get fixed within a short timeframe. But is this enough... No, it's not! An attacker doesn't need 0-day exploits for programming or design errors to compromise your desktop system... protected behind a firewall, application proxy and watched by an IDS - No, all that is needed are OOo's features. :-)

The first exmple is the loading of URLs embedded in a document. OOo open an URL automatically while opening a document. The user can't protect herself by not clicking on the link! Did you ever read the short lists of self-protection rules for Internet users? Most of them say: "Do not click on links in eMails you receive." This isn't possible with OOo. Here the example XML snippet from the ODFs context.xml file:

The parameter "onLoad" triggers this behavior.

This allows various interesting attacks like Cross-Site Request Forgery to manipulate web-applications or to vote in the name of the victim etc.






Disclaimer


The views expressed on this website/weblog are mine alone and do not necessarily reflect the views of my employer.

Note to journalists and other readers: Unless you receive express written permission to the contrary from the author of the content of this blog/website, reproduction or quotation of any statements appearing on this blog/website is not authorized.





kostenloser Counter


Posted by Thomas at 1:00 PM
Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)