What is Digg?Sponsored by Dragon Age: Origins
Can't get enough Dragon Age: Origins? Play the flash game. view!
DragonAgeJourneys.com - Play the free companion flash game to Dragon Age: Origins.
51 Comments
- computergod, on 10/11/2007, -2/+41They have been way too lax in keeping security a priority in OOo. Thankfully this is just proof-of-concept, but it was done way too easily. They discovered a separate exploit/method for every OOo platform for this one.
- hello2usir, on 10/11/2007, -3/+30sans oxy
- MatttK, on 10/11/2007, -5/+27I find your post refreshing. I expected to find people blindly defending Open Office, while dishing out off topic hatred for Microsoft Office. Well at least it'll come in reply to my post now. ;)
- cdmarcus, on 10/11/2007, -1/+22OpenOffice.org has been lax in a lot of things, and every time they release a new version I am disappointed that they continue to ignore the fact that it takes ages to load and it has a UI that only its developers could love. The "help agent" that pops up every time you save a document or use quotes (") to inform you of OOo's amazing ODF formats or the fact that it has curly quotes is completely useless, and it's actually harder to turn off than Clippy. They grossly misuse UI elements, and have an Options dialog that takes programmer-designed UIs to a new level. For an example of UI element misuse, open the Options dialog, go to the Load/Save section, and try to set the default file format for presentations. Seriously, what the hell were they thinking when they put that in? I've tried AbiWord, and although the UI is pleasant to use and it's fast as hell, it just doesn't cut it when it comes to integration among the apps and advanced features.
OpenOffice.org is pretty much the only app that meets the needs of most computer users when it comes to office software, but whoever is developing it isn't trying to make it appealing or easy to use. The last update added an extension manager. Come on, the last thing OpenOffice.org needs right now is more features. For the next release, they should focus on slimming it down and redesigning the UI. Maybe one of the Gnome designers could help or something. When you look at the open-source projects that are succeeding in the consumer market, the one that instantly comes to mind is Mozilla Firefox. Its balance of usable features and a UI that beat the competition was the reason it was able to, and still is able to, appeal to a non-technical audience. I'm not saying that they should gear it to the lowest common denominator... just make it more efficient and easier to use for everyone, rather than adding features and stuffing them wherever you can find a gap to fit them in. - saikhan, on 10/11/2007, -1/+19Oxymoron...
- natenovs, on 10/11/2007, -6/+21what?
its a user mode exploit, like 95% of the windows exploits.
it could f up every one of your documents, and propagate. thats bad enough. - DaGeek, on 10/11/2007, -2/+13A Word Processor is the bastard child of a text editor and a desktop publishing tool. ;-)
- bob7, on 10/11/2007, -11/+19This is my list of complaints against all word processors in existence:
* A word processor has no excuse to crash. Its entire purpose in life is to type words. There is nothing complex about this. If a modern computer is not capable of typing words without falling on its face, then something is seriously wrong.
* A word processor should not be 100+ megabytes. It is little more than a text editor plus some formatting features and a spell checker. What those 100+ megs would be filled with beats me. It is a waste of space and resources. There is no reason for a word processor to be as fat and bloated as the guy who wrote it. Remember, keep it simple, stupid.
* A word processor should not take so long to start that it requires a splash screen. Again, we are going to be typing words. No massive textures need to be loaded into the background, complex initialization scripts need to be run. You should just be able to start the thing and be able to use it. Again, KISS.
* A word processor should not require a training course or giant book in order to use. If people need to take a training course in order to use a word processor, then either these people are extremely stupid or the word processor is crap. Anybody who has never used it before should be able to sit down and do exactly what they want, elegantly. Once more, KISS.
* There is absolutely no reason for a word processor to have security holes. There is no reason it would ever need to connect to the Internet. Its only input and output are from the user and the files its working with. There is no reason for the files to have anything executable in them, and there is definitely no reason that the word processor should want to execute anything within the files.
* Clippy. Nuf' said.
* A word processor should not be annoying. Little things like randomly changing fonts and failure to properly wrap text around objects is unacceptable.
* A word processor should include its own name in its spell checking dictionary. It should also be able to recognize when a chunk of text is a URL, and not try to spell check it. It should also include the plural of all nouns in its dictionary. It should not try to spell check acronyms, and it should include a list of common product and company names in its dictionary.
* A word processor should be able to run flawlessly on my junky old 266 MHz Pentium MMX IBM ThinkPad. Failure to keep up with me as I type or backspace is unacceptable. It should also not have to refresh the entire windows 3 times every time I scroll down, taking a darned light year for every refresh. The ability to work happily on such old hardware would also mean that it would be blazing fast on my new Core 2 Duo system. - inactive, on 10/11/2007, -10/+18Yeah.... but USER-LEVEL???
BFD. Let us know when people have found a way to escalate privilege levels. - sishgupta, on 10/11/2007, -1/+8Google docs is cool for collaboration, but it doesn't have the robustness of OOo or MSWord.
I hope that these "security failings" are remedied quickly. Perhaps the team that developed the macro hack can put together some fixes. - msgyrd, on 10/11/2007, -4/+10From your following points, I think it's a safe assumption that you're not a professional software developer, and would go so far as to guess you've never written a line of code in your life.
* A word processor has no excuse to crash. Its entire purpose in life is to type words. There is nothing complex about this. If a modern computer is not capable of typing words without falling on its face, then something is seriously wrong.
Your concept of a modern computer is flawed. Your concept of how complex software is, is really really flawed.
* A word processor should not be 100+ megabytes. It is little more than a text editor plus some formatting features and a spell checker. What those 100+ megs would be filled with beats me. It is a waste of space and resources. There is no reason for a word processor to be as fat and bloated as the guy who wrote it. Remember, keep it simple, stupid.
Yet you complain below about it needing to have a huge dictionary, and needing to convert URLs to hyperlinks on the fly. Make up your mind. That isn't exactly simple.
* There is absolutely no reason for a word processor to have security holes. There is no reason it would ever need to connect to the Internet. Its only input and output are from the user and the files its working with. There is no reason for the files to have anything executable in them, and there is definitely no reason that the word processor should want to execute anything within the files.
All code has the potential for security holes. If it didn't connect to the internet, you're just as likely to complain about it not auto-updating or downloading bug fixes. Expected security of software is measured by age, not purpose. If your software has been around for 15 years and no exploits have been found, it's probably secure. If it's 6 months old, you can't assume that yet. Being a word processor is completely irrelevant to the discussion of code security.
* A word processor should include its own name in its spell checking dictionary. It should also be able to recognize when a chunk of text is a URL, and not try to spell check it. It should also include the plural of all nouns in its dictionary. It should not try to spell check acronyms, and it should include a list of common product and company names in its dictionary.
Just a second ago you were complaining about load times and keeping it simple...now you want a robust dictionary, URL checking, pluralization checks on almost half the words your type, automatic acronym checking, and vendor specific nouns which companies frequently invent, change or remove (looks like we'll need internet access to keep a dictionary updated).
* A word processor should be able to run flawlessly on my junky old 266 MHz Pentium MMX IBM ThinkPad. Failure to keep up with me as I type or backspace is unacceptable. It should also not have to refresh the entire windows 3 times every time I scroll down, taking a darned light year for every refresh. The ability to work happily on such old hardware would also mean that it would be blazing fast on my new Core 2 Duo system."
So you're cheap and don't want to buy a new laptop? Understandable, but don't complain about the latest and greatest not performing well on it. Sorry, keeping up with typing and backspacing gets a little difficult when you're doing on-the-fly dictionary checks, checking for noun pluralizations, potential acronyms, grammar checking, URL check-exemption, etc. Beyond that, your screen is refreshing around 60 times per second, you only notice it happens "3 times per second" when your computer is under load and has difficulty keeping new screen data sync with your scrolling action, and things get ugly.
Seriously man, it sounds like WordPad is what you want, not a full blown word processor, which is fine, because a rich text editor is all most people use most of the time.
However, in the past, I've actually used an office suite as an office suit, and the size, slow speed and extra features are justified and appreciated when it's needed. It's one of those obscure things, but something MS Office handles fairly flawlessly: Take an excel sheet of ~100 names and titles, import them into a name badge template dynamically, and have it format them onto 3x4 inch sheets, 6 per page. In Office, if the excel sheet was already typed up, printing off those 100 name badges would take me at most, 10 minutes, including print time. If you had to do it by hand in a watered down, KISS editor, you're looking at a half day or boring repetitive work.
Both have their places. If OO.org or MS Office are too bloated for you, try something simpler like Abiword. You've probably been using a sledgehammer when all you needed was a ball-peen hammer. - Phil246, on 10/11/2007, -7/+12@natenovs - except that on windows, users == adminstrators.
This is not the case on linux ( running as root is considered very very bad practise )
Yes, user mode is bad enough but its not as bad as it could have been ( think the whole system being trashed and documents from *every* user on the system destroyed - not just the one user who the virus executed under ) - dr-steve, on 10/11/2007, -0/+5To those of you who claim Windows users are equivalent to Admin users: in a professional environment, we set up a domain, and User IS NOT Admin. End of discussion. (Yes, I DO agree that MS has the key flaw of making domains and simple security inaccessible to the common home network. Oh, do I wish for the ability to set up a simple domain system, Linux or Windows based, for my small at-home network! And yes, it DOES need to be click-and-run based; Joe Homeuser does not need to learn command-line for once-a-year activities. GUI means low learning curve at the expense of potentially more activity when executing complex functionality; command line is higher learning curve for ease of access to this high-level functionality. Infrequent use does not justify the learning curve.)
To those of you who claim that non-Admin users are safe and secure (on any OS), you probably do not use any financial software that stores personal information in your user space. The explicit hole demonstrated showed the ability to access local files (in USER space) and use IM to communicate. Need to say anything else? - dbr_onix, on 10/11/2007, -2/+7"BFD. Let us know when people have found a way to escalate privilege levels."
Local exploits are the first step in escalating privileges - If you can get access to the machine as the current user, you can then use more "generic" local exploits - Exploiting OpenOffice into getting root-privs would be very very difficult, but there are plenty of local kernel exploits. Besides, the most likely use of word-processing document exploits would be corporate spying, in which you only really need access to the local users files (documents and emails in particular) to be achieve what's needed. - franksands, on 10/11/2007, -1/+6Amen, brother. I feel exatcly the same. I wish MS (or any other) would launch a clean version of Word, meaning just the word processing and without all the bloated crap
- Rayfound, on 10/11/2007, -3/+8Well, for a "lower cost version" of office '07, the Home and Student version (retail) is $121.99 on Newegg, and before you balk at the price, that license is for 3 COMPUTERS... honestly, less than $50 a machine for an office suite is not that bad... I mean the $450 or whatever they try to get you for on the Professional is ridiculous, but I think for home users, the Home and Student is fairly reasonable.
Includes Excel, Word, Powerpoint, and OneNote. - bob7, on 10/11/2007, -5/+9IMHO, this is not because OO is less popular, but because they are doing just as bad a job as MS did.
- secleinteer, on 10/11/2007, -4/+8@skyshock21:
You CANNOT escalate the privilege levels on a *nix box unless there is a hole in the OS, regardless of the program's security. I know this sounds like I'm just bashing Windows, but this problem is actually only an issue on Windows boxes, unless you run as root on your *nix box (in which case you deserve to be exploited). - Gizza, on 10/11/2007, -5/+9@cdmarcus (#6842964)
Geez, if you hate it that much maybe it would be worth spending the money (or download time) to get Office 07. IMO Office 07 makes OOo look stone aged. It was ok back in the Office 2000 days, but MS has really taken Office a step forward in 07.
I just wish MS would release a "Basic" version or something, that's a lot cheaper for home users and cuts down on a lot of the advanced features. I can no longer get the academic version because they actually require you to be a uni student, and although I don't use it as much as I did while at uni, its still hard to live without. - smurf22, on 10/11/2007, -3/+6Its says user level not root, so it could mess with other programs but not royally f your system, still scary though.
- sgglynn, on 10/11/2007, -0/+2"it could f up every one of your documents, and propagate."
So can my little sister...little bitch - Niteryder, on 10/11/2007, -0/+2I will follow the creators of openoffice on this issue more closely than on media which tends to competitively distort
things. http://www.openoffice.org/security/about_badbunny_macros.html - Haplo, on 10/11/2007, -4/+6LaTeX + vi / emacs FTW
- vagarach, on 10/11/2007, -0/+1Well, just like office, then, turn off macros! If you absolutely must read some document with macros in it then do so in a virtualized environment, or use chroot or something! The good thing is that you can be sure that the flaw will be fixed with minimal delay.
- inactive, on 10/11/2007, -5/+6They still couldn't delete or change any programs or mess with any system configurations on Linux since that's not user level. I guess they could still do way too much, though.
- codmate, on 10/11/2007, -0/+1I get your point.
The virus writers are just attention seekers!
Silly sods should have just used their time to write a fix. - bob7, on 10/11/2007, -1/+2Actually, I'm kind of fond of Ted ( http://en.wikipedia.org/wiki/Ted_(word_processor) ), but someone needs to redo the interface using GTK. Abiword comes in second.
- Rayfound, on 10/11/2007, -4/+5Wordpad - but no spell check.
- cdmarcus, on 10/11/2007, -0/+1@gizza, rayfound, nreisan, I use Linux. And I don't hate OpenOffice.org... it's more of a tough love situation. I use it, and I'm glad that it exists, but I think it could do better.
- Kinjiru, on 10/11/2007, -0/+1I see the M$ lovers are out in force! LOL
- mythandros, on 10/11/2007, -0/+1This story should light a fire under the developers collective asses. OO has potential, even if it's not as secure as it should be atm.
- vagarach, on 10/11/2007, -0/+1A virus is a much better way of getting people's attention than a bug report and fix detailing how this *could* have been used to do something bad.
- SteveMax, on 10/11/2007, -0/+1Try KOffice. It's much faster (and saner) than Ooo. *nix-only for now, with native Windows and Mac versions to follow after KDE 4.0.
- immrlizard, on 10/11/2007, -0/+1@ Kinjiru
I do the same for all of the machines I build too. If for no other reason then to show others that there is an alternative. There is weakness in nearly every piece of software out there. Some worse then others. I too hope that they take a closer look at the code so that it doesn't end up lie office and their monthly patch schedule. - thefinger, on 10/11/2007, -6/+6somebody had better warn that OpenOffice user about this
- nreisan, on 10/11/2007, -0/+0you dont ACTUALLY need to be a student to buy academic versions/student versions in Australia
its just that it cant be used for 'commericial use'
basically business cant buy them for there computers, however on your home computer its perfectly acceptable.
Id assume you dont need ID in america aswell although i dont know for sure.
office 2007 is great, i love it, such an improvement - thefinger, on 10/11/2007, -3/+3*****' A !!! :)
- codmate, on 10/11/2007, -1/+1Why go to the trouble of creating a 'proof of concept virus' when, since the software is open source, you could spend the time writing a patch for the security flaw?
- r3zonance, on 10/11/2007, -2/+1"A Word Processor is the bastard child of a text editor and a desktop publishing tool. ;-)"
No, that's Word.
Traditional word processors are text editors with a bit of formatting thrown in. - inactive, on 10/11/2007, -6/+5Geez, can Kevin Rose just hook the Ars Technica newsfeed up to the front page, and cut out the middleman?
- TheNameless88, on 10/11/2007, -1/+0Thank you, finally.
Though, I'm surprised the article didn't mention that this can be totally sterilized by setting macro security to "very high." I have always done this, for the dumb users who I have to share this place with.
Also, this is "not in the wild," whether it be due to the writers' incompetence, or whatnot, they sent it straight to virus labs, no other reports to speak of.
And finally, this is not a vulnerability, unless you say that macros are a vulnerability.
Stop the FUD, people. - wsgeek, on 10/11/2007, -3/+1Most software being used has some or the other loophole. Such proof of concepts gives community developers a fair chance to find out the most serious flaws and try and fix them.
I believe that a lot of software developers are usually lax to working out negative/unsafe scenarios while development, present company included (things like these bring my attention back to security time and again). - skitboxkilla, on 10/11/2007, -3/+0Does anyone on the OO_Mac Beta know if the exploit affects OS X too?
- DonPMitchell, on 10/11/2007, -5/+2Why should we expect open-source software to be automatically secure? Bugs and security holes are not discovered by amateurs inspecting source code. They are found by testing, by hiring "penetration engineers" (i.e., hackers) and by being attacked over and over again, with fixes developed to counter those attacks.
It worries me that many open-source systems, including Linux itself, is not exposed to this rigorous process. And there are too many True Believers who just take it as an article of faith that OOS is superior in every way. - Kinjiru, on 10/11/2007, -10/+5Personally I like OO.. and much prefer it over M$O.. I install it on almost all systems by default (since most ppl don't want to pay for M$)
but the security is lacking.. hopefully this will be a wake up for the coders and they can make some much needed revisions now..
and also slim/optimize the code to speed things up.. bloatware is one thing we have too much of already! - InYoLeftI, on 10/11/2007, -5/+0Prostate Cancer!!!
I think you overestimate it's chances. - Haplo, on 10/11/2007, -8/+3How many users use your GNU/Linux system? .... right
How many user accounts need to be compromised to turn your computer into a zombie?... right.
Next! - wageslaven, on 10/11/2007, -22/+11Your not trying to tell us that software that isnt popular is as vulnerable to malicious exploitation as the commonly exploited software is? You mean that the exploits we hear about is because the code writers target more popular platforms?
There must be something wrong here! - pogfreak, on 10/11/2007, -15/+4I'm sure it will be patched in a matter of hours - problem solved. Compare this to IE 7 which shipped with 5,000+ known bugs. So what were you saying?
- cactus476, on 10/11/2007, -19/+1Old news...
© Digg Inc. 2009
— Content created and posted by Digg users is