On Fri, 2011-11-18 at 12:07 -0800, Dennis E. Hamilton wrote: > When the download and execution is *performed* by Apache OpenOffice, the > vulnerability is now ours. That needs to be obvious too.
Howdy, Just a quick aside here - the idea of organizations using local extension and template repositories isn't completely out of the blue - as I recall there where a couple of school systems in the US that did just this and I a corporation in Japan...I'll try to find my old notes on that and pass along what I have, if I still have it. Thanks Drew Jensen > > -----Original Message----- > From: Rob Weir [mailto:[email protected]] > Sent: Friday, November 18, 2011 11:58 > To: [email protected] > Subject: Re: Install configuration management > > On Fri, Nov 18, 2011 at 2:11 PM, Dennis E. Hamilton > <[email protected]> wrote: > > I think this is all very interesting. > > > > I want to point out that any situation where code is downloaded for > > execution under the user's privileges while running Apache OpenOffice is an > > avenue for attack by injection of malicious code and also data mining the > > user account. > > > > I want to point out that any situation where code is downloaded for > execution under the user's privileges while *not running* Apache > OpenOffice is *also* an avenue for attack by injection of malicious > code and also data mining the user account. > > This is just stating the obvious in too many words. > > -Rob > >
