Re: Cross Script vulnerabilities in AOo Extensions?

[Fernando Cassia]

On 4/7/16, toki  wrote:
> All:
>
> In reading
> http://arstechnica.com/security/2016/04/noscript-and-other-popular-firefox-add-ons-open-millions-to-new-attack/
> is the same type of vulnerability is possible with AOo extensions?
>
> jonathon

"By piggybacking off the capabilities of trusted third-party add-ons,
the malicious add-on faces much better odds of not being detected."

The spiral of restrictions only helps the #infosec rock stars continue
being in the spotlight and keep their jobs.

This is akin to someone "discovering" that a forks and knives can be
used as lethal weapons. So let's restrict kitchenware. Better yet,
let's implement a security measure by tying the forks and knife to the
table  to restrict movement of the fork and knife only a few inches
from the dish. But then some "security researcher" will discover that
the wire can be cut by malicious users. So the rope will be replaced
by a steel wire.

Then one day one security researcher will discover that malicious
users can use the steel wire to strangle people.

This can go on ad-infinitum. Hey, just found that pens, those
innocuous devices used for writing and present in the pockets of
numeroous geeks, can be taken by surprise by a bystander and poke you
in the eye!. This is a grave security vulnerability. Let's put all
pens under lock!.

#sarcasm
FC
FC
-- 
During times of Universal Deceit, telling the truth becomes a revolutionary
act
Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto
Revolucionario
- George Orwell

-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Re: Cross Script vulnerabilities in AOo Extensions?

[toki]

On 07/04/2016 16:35, Dennis E. Hamilton wrote:

> Multi-component collaborative exploit staging is possible although
unnecessary.

Rephrasing: For the time being, at least, one can "safely" ignore this
type of exploit, because other vectors are much easier to exploit.

Still, for those who are paranoid about security, this is yet another
cause for concern, for which they will have to create the appropriate
tools to verify the extension is not an exploit.

jonathon




signature.asc
Description: OpenPGP digital signature

RE: Cross Script vulnerabilities in AOo Extensions?

[Dennis E. Hamilton]

Toki, thanks for your useful question.

Here are some factors to consider.

 1. The Apache OpenOffice project does not vet or review extensions and 
templates that are produced by third parties and downloadable from the 
SourceForge extension and template collections.  These are all "at your own 
risk." 

 2. To the extent that extensions and templates operate at the privilege level 
of the OpenOffice user, it is possible for extension code to accomplish 
malicious purposes.

 3. There is no sandbox for the operation of extensions generally: access to 
the internet, the desktop platform, and file systems are not constrained.
 
Basically, it does not require anything so elaborate as the bypassing of 
FireFox add-on protection described in the Ars Technica article.  
Multi-component collaborative exploit staging is possible although unnecessary.

Part of the problem is that the extension format goes back to OpenOffice.org 
1.x and a simpler world.  

There is also complacency and mythology about OpenOffice not being vulnerable 
to some of the difficulties that arose in Microsoft Office software of the same 
and earlier eras.  It could be more the case that exploit perpetrators prefer 
to go where the most victims are to be found.  That does not mean other 
low-hanging fruit escapes attention, as we now know for Linux, Apple, Android, 
and other products.  

An upgrade of the extension packaging could provide some auditability.  Perhaps 
the most important upgrade, using a form of ODF 1.2 packaging, would be use of 
digital signatures to provide a level of authentication on the 
extension/template source and allow detection of modifications or counterfeits.

Other kinds of auditing and forensic analysis require better computer-based 
tools.  Those are lacking generally, not just for extension packages.

This is one of those situations where defenses require considerable more effort 
than attacking, although skill is required for an exploit to go undetected.

No concerted effort on this area is foreseen at this time.  

 - Dennis  



> -Original Message-
> From: toki [mailto:toki.kant...@gmail.com]
> Sent: Thursday, April 7, 2016 03:45
> To: dev@openoffice.apache.org
> Subject: Cross Script vulnerabilities in AOo Extensions?
> 
> All:
> 
> In reading
> http://arstechnica.com/security/2016/04/noscript-and-other-popular-
> firefox-add-ons-open-millions-to-new-attack/
> is the same type of vulnerability is possible with AOo extensions?
> 
> jonathon
> 



-
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Cross Script vulnerabilities in AOo Extensions?

[toki]

All:

In reading
http://arstechnica.com/security/2016/04/noscript-and-other-popular-firefox-add-ons-open-millions-to-new-attack/
is the same type of vulnerability is possible with AOo extensions?

jonathon




signature.asc
Description: OpenPGP digital signature