On Tue, Jun 30, 2015 at 5:23 PM, Dennis E. Hamilton <dennis.hamil...@acm.org > wrote:
> THE TL;DR: > > I agree. The extensive lag to availability of 4.1.2 is far more pertinent > at the level of the Board Report. The existence of CVE-2015-1774 does not > change that and should not overshadow it. > > I think featuring CVE-2015-1774 in the report exaggerates its importance > and ignores the deliberation that accompanied our announcement of a > straightforward CVE-2015-1774 mitigation, < > http://www.openoffice.org/security/cves/CVE-2015-1774.html>. > > I would largely agree, although I still believe the CVE and its mitigation should be documented at http://www.openoffice.org/download/ as there is a negligible chance any user downloading AOO will see it otherwise and I believe the risk is greater than is being recognised. > MORE MUSINGS > > We are not talking about a defect for which there is a known exploit and > there would be very few users, if any, who might encounter one, were one > worth developing. > > While Simon has expressed his own perspective on how dangerous the related > defect is and what users are exposed to, that is not the consensus of the > AOO security team and those who have oversight on its deliberations. That > does not mean we shouldn't take further steps. It just means we have > concluded there is no emergency. > It would probably be a simpler and more-fruitful action to simply make > this web page, <http://www.openoffice.org/security/>, the bulletins, and > their translations more prominent and easily found on our web site. > > Also, with respect to CVE-2015-1774, I think the population of concern is > those who use old (ca. 1999 and earlier) Korean-language HWP documents and > are happily using OO.o 2.4 through 3.4 releases, remaining ignorant of AOO > 4.1.2 and already-repaired LibreOffice distributions. > If a malicious party were to create an HWP file crafted to exploit the vulnerability but then distribute it with another extension (say .ODT), AOO would still open it. I thus believe that there are two populations of concern: 1. Users of HWP files on any existing version of AOO and predecessors. This is alleged to be a small population, and I have no reason to disagree. Were this the only population of concern I would agree that the risk would be minimal. 2. All users of any distributed version of AOO and predecessors where the documented mitigation has not been applied are also vulnerable to the creation of a malicious HWP renamed with a benign file extension. There is no known exploit at present, but as the population of users with the vulnerability grows the risk increases. We can do what we are able to do, when we do it, yet there is little to be > done for folks who have no desire or even means to replace their OpenOffice > software. > I agree that we can only do what we have the resources to do. However, I continue to believe we are not taking all the steps we could to ensure that the second population of concern are adequately informed even if we do not have the resources to protect them. S.
