You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@openoffice.apache.org by toki <to...@gmail.com> on 2016/04/07 12:45:07 UTC
Cross Script vulnerabilities in AOo Extensions?
All:
In reading
http://arstechnica.com/security/2016/04/noscript-and-other-popular-firefox-add-ons-open-millions-to-new-attack/
is the same type of vulnerability is possible with AOo extensions?
jonathon
Re: Cross Script vulnerabilities in AOo Extensions?
Posted by toki <to...@gmail.com>.
On 07/04/2016 16:35, Dennis E. Hamilton wrote:
> Multi-component collaborative exploit staging is possible although
unnecessary.
Rephrasing: For the time being, at least, one can "safely" ignore this
type of exploit, because other vectors are much easier to exploit.
Still, for those who are paranoid about security, this is yet another
cause for concern, for which they will have to create the appropriate
tools to verify the extension is not an exploit.
jonathon
RE: Cross Script vulnerabilities in AOo Extensions?
Posted by "Dennis E. Hamilton" <de...@acm.org>.
Toki, thanks for your useful question.
Here are some factors to consider.
1. The Apache OpenOffice project does not vet or review extensions and templates that are produced by third parties and downloadable from the SourceForge extension and template collections. These are all "at your own risk."
2. To the extent that extensions and templates operate at the privilege level of the OpenOffice user, it is possible for extension code to accomplish malicious purposes.
3. There is no sandbox for the operation of extensions generally: access to the internet, the desktop platform, and file systems are not constrained.
Basically, it does not require anything so elaborate as the bypassing of FireFox add-on protection described in the Ars Technica article. Multi-component collaborative exploit staging is possible although unnecessary.
Part of the problem is that the extension format goes back to OpenOffice.org 1.x and a simpler world.
There is also complacency and mythology about OpenOffice not being vulnerable to some of the difficulties that arose in Microsoft Office software of the same and earlier eras. It could be more the case that exploit perpetrators prefer to go where the most victims are to be found. That does not mean other low-hanging fruit escapes attention, as we now know for Linux, Apple, Android, and other products.
An upgrade of the extension packaging could provide some auditability. Perhaps the most important upgrade, using a form of ODF 1.2 packaging, would be use of digital signatures to provide a level of authentication on the extension/template source and allow detection of modifications or counterfeits.
Other kinds of auditing and forensic analysis require better computer-based tools. Those are lacking generally, not just for extension packages.
This is one of those situations where defenses require considerable more effort than attacking, although skill is required for an exploit to go undetected.
No concerted effort on this area is foreseen at this time.
- Dennis
> -----Original Message-----
> From: toki [mailto:toki.kantoor@gmail.com]
> Sent: Thursday, April 7, 2016 03:45
> To: dev@openoffice.apache.org
> Subject: Cross Script vulnerabilities in AOo Extensions?
>
> All:
>
> In reading
> http://arstechnica.com/security/2016/04/noscript-and-other-popular-
> firefox-add-ons-open-millions-to-new-attack/
> is the same type of vulnerability is possible with AOo extensions?
>
> jonathon
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
Re: Cross Script vulnerabilities in AOo Extensions?
Posted by Fernando Cassia <fc...@gmail.com>.
On 4/7/16, toki <to...@gmail.com> wrote:
> All:
>
> In reading
> http://arstechnica.com/security/2016/04/noscript-and-other-popular-firefox-add-ons-open-millions-to-new-attack/
> is the same type of vulnerability is possible with AOo extensions?
>
> jonathon
"By piggybacking off the capabilities of trusted third-party add-ons,
the malicious add-on faces much better odds of not being detected."
The spiral of restrictions only helps the #infosec rock stars continue
being in the spotlight and keep their jobs.
This is akin to someone "discovering" that a forks and knives can be
used as lethal weapons. So let's restrict kitchenware. Better yet,
let's implement a security measure by tying the forks and knife to the
table to restrict movement of the fork and knife only a few inches
from the dish. But then some "security researcher" will discover that
the wire can be cut by malicious users. So the rope will be replaced
by a steel wire.
Then one day one security researcher will discover that malicious
users can use the steel wire to strangle people.
This can go on ad-infinitum. Hey, just found that pens, those
innocuous devices used for writing and present in the pockets of
numeroous geeks, can be taken by surprise by a bystander and poke you
in the eye!. This is a grave security vulnerability. Let's put all
pens under lock!.
#sarcasm
FC
FC
--
During times of Universal Deceit, telling the truth becomes a revolutionary
act
Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto
Revolucionario
- George Orwell
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org