Hi, since people discuss this on the users list, and someone also asked the security team about that, I have written something about this in my blog:
http://blogs.sun.com/malte/entry/evilgrade_and_openoffice_org I also have some comments on things I have read in the thread on the users list: > EvilGrade Exploit tool kit alleges it attacks OO.o > http://www.openoffice.org/servlets/BrowseList?list=users&by=thread&from=2101839 1) OOo Updates/Upgrades In my definition, OOo doesn't have updates. For me, an update is something which does not contain everything like the full installation package, but only the parts that have to be changed. OOo does not apply updates, but does an upgrade installation, which means deinstalling the old version, installing the new version, keep/migrate old configuration. But in the end, it doesn't matter. What matters is whether an application executes/deploys some downloaded binaries. And this is the case when you press "Install" in the online update dialog. For this reason, OOo is affected from possible attacks, and I think signed packages are the only solution for this. Of course OOo would then not simply check for a valid signature, but for signatures from trusted OOo providers. 2) RFE issue 69032 Implementing RFE 69032 (http://www.openoffice.org/issues/show_bug.cgi?id=69032) is the first part to be done, and I still would like to see that for OOo 3.0. Once this is available, the update component also must make use of that: http://www.openoffice.org/issues/show_bug.cgi?id=92489 I hope this can be done for OOo 3.1, at least I have specified that target. Follow up to [email protected], since I don't read the users list regularly - and I guess it's a discussion anyway ;) Of course you might also comment in my blog. Malte. -- Malte Timmermann http://blogs.sun.com/malte --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
