On Thu, 2006-08-17 at 01:35 +0100, Sander Vesik wrote: > --- Ian Lynch <[EMAIL PROTECTED]> wrote: > > > They can if your system security lets them. If OOo has a bug that lets > > Macros run without informing the user that is definitely a vulnerability > > and nothing to do with the OS. However usually such things will get > > fixed pretty quickly and wel before they become a practical risk. > > I'm not sure where the OS entered into it... It doesn't matter as in most > cases the > just attack wants to run code on your machine. Which is not much different in > Linux > vs Solaris vs BSD vs Windows if the application is "co-operating".
> Ian, you have actually read this document - > http://www.openoffice.org/security/CVE-2006-2198.html - right? And are aware > of the > curl overrun problem and how that could be exploited? Want to give an > estimate of > the number of installation that are still vulnerable to those bugs? And how > long > will it take for you yourself to upgrade after the next vulnerability is > discovered? It has been patched according to the above reference. Takes me myself about 5 minutes to upgrade - well ok it takes a bit longer to download the code but I can do other things while that is happening. My Ubuntu distro provides me with security updates on a regular basis so I assume that this is likely to include such things and in any case the number of people that send me ODF documents at the moment is small and mostly people who I do know and trust so again I think the chance of a disaster is small. Ok there could be something similar in the future when ODF is the preferred file format for exchanging documents but then that could be true of any Office software based on the track record so far. > One rarely talks of "theoretical" attacks without having done some proof of > concept > experiments. I have proof of concept of several theoretical ways of making a billion dollars. I'm not that rich yet ;-) In summary, Fix security vulnerabilities and publicise them Don't get over-paranoid about theory Weigh up cost against benefit/risk For me I don't see any compelling reason to stop using OOo in my business on the grounds of security. I see no alternative that has an objectively better track record on security and in general the overall cost of keeping the alternatives secure seems significantly higher. Theoretically there could be something a lot better, in practise I'm yet to find it. Ian -- www.theINGOTS.org www.schoolforge.org.uk www.opendocumentfellowship.org --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
