Re: Cross Script vulnerabilities in AOo Extensions?
On 4/7/16, tokiwrote: > All: > > In reading > http://arstechnica.com/security/2016/04/noscript-and-other-popular-firefox-add-ons-open-millions-to-new-attack/ > is the same type of vulnerability is possible with AOo extensions? > > jonathon "By piggybacking off the capabilities of trusted third-party add-ons, the malicious add-on faces much better odds of not being detected." The spiral of restrictions only helps the #infosec rock stars continue being in the spotlight and keep their jobs. This is akin to someone "discovering" that a forks and knives can be used as lethal weapons. So let's restrict kitchenware. Better yet, let's implement a security measure by tying the forks and knife to the table to restrict movement of the fork and knife only a few inches from the dish. But then some "security researcher" will discover that the wire can be cut by malicious users. So the rope will be replaced by a steel wire. Then one day one security researcher will discover that malicious users can use the steel wire to strangle people. This can go on ad-infinitum. Hey, just found that pens, those innocuous devices used for writing and present in the pockets of numeroous geeks, can be taken by surprise by a bystander and poke you in the eye!. This is a grave security vulnerability. Let's put all pens under lock!. #sarcasm FC FC -- During times of Universal Deceit, telling the truth becomes a revolutionary act Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto Revolucionario - George Orwell - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Cross Script vulnerabilities in AOo Extensions?
On 07/04/2016 16:35, Dennis E. Hamilton wrote: > Multi-component collaborative exploit staging is possible although unnecessary. Rephrasing: For the time being, at least, one can "safely" ignore this type of exploit, because other vectors are much easier to exploit. Still, for those who are paranoid about security, this is yet another cause for concern, for which they will have to create the appropriate tools to verify the extension is not an exploit. jonathon signature.asc Description: OpenPGP digital signature
RE: Cross Script vulnerabilities in AOo Extensions?
Toki, thanks for your useful question. Here are some factors to consider. 1. The Apache OpenOffice project does not vet or review extensions and templates that are produced by third parties and downloadable from the SourceForge extension and template collections. These are all "at your own risk." 2. To the extent that extensions and templates operate at the privilege level of the OpenOffice user, it is possible for extension code to accomplish malicious purposes. 3. There is no sandbox for the operation of extensions generally: access to the internet, the desktop platform, and file systems are not constrained. Basically, it does not require anything so elaborate as the bypassing of FireFox add-on protection described in the Ars Technica article. Multi-component collaborative exploit staging is possible although unnecessary. Part of the problem is that the extension format goes back to OpenOffice.org 1.x and a simpler world. There is also complacency and mythology about OpenOffice not being vulnerable to some of the difficulties that arose in Microsoft Office software of the same and earlier eras. It could be more the case that exploit perpetrators prefer to go where the most victims are to be found. That does not mean other low-hanging fruit escapes attention, as we now know for Linux, Apple, Android, and other products. An upgrade of the extension packaging could provide some auditability. Perhaps the most important upgrade, using a form of ODF 1.2 packaging, would be use of digital signatures to provide a level of authentication on the extension/template source and allow detection of modifications or counterfeits. Other kinds of auditing and forensic analysis require better computer-based tools. Those are lacking generally, not just for extension packages. This is one of those situations where defenses require considerable more effort than attacking, although skill is required for an exploit to go undetected. No concerted effort on this area is foreseen at this time. - Dennis > -Original Message- > From: toki [mailto:toki.kant...@gmail.com] > Sent: Thursday, April 7, 2016 03:45 > To: dev@openoffice.apache.org > Subject: Cross Script vulnerabilities in AOo Extensions? > > All: > > In reading > http://arstechnica.com/security/2016/04/noscript-and-other-popular- > firefox-add-ons-open-millions-to-new-attack/ > is the same type of vulnerability is possible with AOo extensions? > > jonathon > - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Cross Script vulnerabilities in AOo Extensions?
All: In reading http://arstechnica.com/security/2016/04/noscript-and-other-popular-firefox-add-ons-open-millions-to-new-attack/ is the same type of vulnerability is possible with AOo extensions? jonathon signature.asc Description: OpenPGP digital signature