On Tue, Jun 30, 2015 at 9:54 AM, Simon Phipps <si...@webmink.com> wrote:
> On Tue, Jun 30, 2015 at 5:23 PM, Dennis E. Hamilton < > dennis.hamil...@acm.org > > wrote: > > > THE TL;DR: > > > > I agree. The extensive lag to availability of 4.1.2 is far more > pertinent > > at the level of the Board Report. The existence of CVE-2015-1774 does > not > > change that and should not overshadow it. > > > > I think featuring CVE-2015-1774 in the report exaggerates its importance > > and ignores the deliberation that accompanied our announcement of a > > straightforward CVE-2015-1774 mitigation, < > > http://www.openoffice.org/security/cves/CVE-2015-1774.html>. > > > > > I would largely agree, although I still believe the CVE and its mitigation > should be documented at http://www.openoffice.org/download/ as there is a > negligible chance any user downloading AOO will see it otherwise and I > believe the risk is greater than is being recognised. > A reasonable suggestion I think. As it's been pointed out, there is little impact on the great majority of our users, but, additional information for new downloads is a good idea. > > > > MORE MUSINGS > > > > We are not talking about a defect for which there is a known exploit and > > there would be very few users, if any, who might encounter one, were one > > worth developing. > > > > While Simon has expressed his own perspective on how dangerous the > related > > defect is and what users are exposed to, that is not the consensus of the > > AOO security team and those who have oversight on its deliberations. > That > > does not mean we shouldn't take further steps. It just means we have > > concluded there is no emergency. > > > > > It would probably be a simpler and more-fruitful action to simply make > > this web page, <http://www.openoffice.org/security/>, the bulletins, and > > their translations more prominent and easily found on our web site. > > > > Also, with respect to CVE-2015-1774, I think the population of concern is > > those who use old (ca. 1999 and earlier) Korean-language HWP documents > and > > are happily using OO.o 2.4 through 3.4 releases, remaining ignorant of > AOO > > 4.1.2 and already-repaired LibreOffice distributions. > > > > If a malicious party were to create an HWP file crafted to exploit the > vulnerability but then distribute it with another extension (say .ODT), AOO > would still open it. I thus believe that there are two populations of > concern: > > 1. Users of HWP files on any existing version of AOO and predecessors. > This is alleged to be a small population, and I have no reason to > disagree. > Were this the only population of concern I would agree that the risk > would > be minimal. > 2. All users of any distributed version of AOO and predecessors where > the documented mitigation has not been applied are also vulnerable to > the > creation of a malicious HWP renamed with a benign file extension. There > is > no known exploit at present, but as the population of users with the > vulnerability grows the risk increases. > > We can do what we are able to do, when we do it, yet there is little to be > > done for folks who have no desire or even means to replace their > OpenOffice > > software. > > > > I agree that we can only do what we have the resources to do. However, I > continue to believe we are not taking all the steps we could to ensure that > the second population of concern are adequately informed even if we do not > have the resources to protect them. > > S. > -- ------------------------------------------------------------------------------------------------- MzK "We can all sleep easy at night knowing that somewhere at any given time, the Foo Fighters are out there fighting Foo." -- David Letterman