You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@openoffice.apache.org by bu...@apache.org on 2014/11/11 03:48:33 UTC
[Issue 125846] New: Browser Launching of AOO for ODF document raises
Security Warning
https://issues.apache.org/ooo/show_bug.cgi?id=125846
Issue ID: 125846
Issue Type: DEFECT
Summary: Browser Launching of AOO for ODF document raises
Security Warning
Product: General
Version: 4.1.1
Hardware: PC
OS: Windows 8
Status: CONFIRMED
Severity: minor
Priority: P3
Component: security
Assignee: security@openoffice.apache.org
Reporter: orcmid@apache.org
Created attachment 84181
--> https://issues.apache.org/ooo/attachment.cgi?id=84181&action=edit
The warning message on attempting to view the file directly
When I used the mailing-list URL directly to this ODF file,
<http://people.apache.org/~nick/NickTemplateACEU14.odp>,
I received a security warning about the AOO executable not
being signed.
It is a strange case. If I download the file instead,
I can use file-association to fire up AOO 4.1.1 with no
problem.
I was using Outlook on my desktop, Windows 8.1 Pro x64, and Internet Explorer
11.
--
You are receiving this mail because:
You are watching all issue changes.
[Issue 125846] Browser Launching of AOO for ODF document raises
Security Warning
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=125846
jsc@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jsc@apache.org
--- Comment #1 from jsc@apache.org ---
I don't think this is a real issue. It is more a further restriction and to
inform the user about not signed applications. We can't really prevent this
without having our app signed.
This can be seen as a further reminder that singing is somewhat important today
to generate trust to our users. Many user get nervous when the are confronted
with such messages and don't understand them in detail.
It is of course very annoying and the question is why the browser don't accept
application that are marked as trust worth on the desktop already.
--
You are receiving this mail because:
You are watching all issue changes.
[Issue 125846] Browser Launching of AOO for ODF document raises
Security Warning
Posted by bu...@apache.org.
https://issues.apache.org/ooo/show_bug.cgi?id=125846
--- Comment #2 from orcmid <or...@apache.org> ---
(In reply to jsc from comment #1)
> I don't think this is a real issue.
[ ... ]
> It is of course very annoying and the question is why the browser don't
> accept application that are marked as trust worth on the desktop already.
I agree. This issue is here as a way to be able to show the attachment and
discuss it, but it is not a bug in the usual sense.
It strikes me that this is a "misfire" by IE 11, since it is very difficult to
understand the condition that is being protected against. I think it is just
about opening a document on the desktop from an open TCP/IP connection and what
that might provide in terms of a vulnerability.
There is another aspect to the business about signatures. Signatures on
downloads (the installers) versus on the installed components is involved here.
It takes both to be trustworthy on the desktop.
IE notices that the executable is not signed on looking at launching the
application. I suppose it is a safeguard against an executable having been
placed by a drive-by download, but it would also have to be registered in the
application associations and perhaps there is some search path concern as well.
I expect this to disappear when Windows code signing starts being used. (I
didn't go to the trouble to see if LibreOffice code manages not to trigger this
intervention.)
--
You are receiving this mail because:
You are watching all issue changes.