How Secure Is StarOffice? 18
supabeast! asks: "I am currently working for a large financial corporation that still uses MS Office 97. At some point the company will need to upgrade to a newer office suite, and I think that with some work I may be able to push the company towards StarOffice, which I prefer over MS Office. I am slowly putting together a list of advantages (and disadvantages) of StarOffice over MS Office 2000, and one glaring problem in MS Office is the many security flaws that it has brought up. Does anyone know of security issues with StarOffice, on any platform?" With MS Office still smarting from the LOVE from viruses like Melissa, I think it's high time we looked for alternatives. Security should be one of the first things that should be evaluated.
Sorry (Score:1)
Clients, OS, and Protection. (Score:1)
Load StarOffice on a test machine, send ILOVEYOU to it, then disconnect it from the network and try opening it. I doubt anything will happen if you're not on a MS machine. StarOffice is also available for MS machines, and I suspect it will use the standard file extension linkages.
A fair amount of ILOVEYOU required Outlook support. I don't know what will happen if you're running StarOffice on a machine with or without Outlook and/or Office installed.
A related question is whether a StarOffice-specific attack can succeed, not only whether StarOffice makes Outlook/Office attacks fail.
We don't know (Score:3)
We're lucky so far in that almost nobody runs Star Office, so the environment for viruses is very poor. Just like a virus in the meat world, computer viruses require a certain density of their hosts before they can replicate quickly. Star Office doesn't really provide that density, and it may never provide that density.
These sorts of closed-source kitchen sink apps that are appearing for Linux are useful tools, no doubt. But they are also very dangerous. I hope that open source apps become dominant in the desktop categories, because peer reviewed security is far better than the completely unreviewed security of Star Office.
Anyone that claims that Star Office is secure should be immediately challenged to "Prove It". Without the source code, security cannot be proved.
Re:Clients, OS, and Protection. (Score:2)
Not necessarily, the VBScript portion that was bad for the local user was the part of it that deleted files. The Outlook part was only used to forward these message on to other people. As for that part, I've been told that *any* MAPI-compliant program would do the same, not just Outlook. I've got to wonder about that though, as even Outlook Express wasn't affected. Then again, maybe it's not MAPI-compliant.
I thought it was open source (Score:1)
I have seen some distros with StarOffice included. I assume Sun allows this redistribution, or maybe the distros have a special agreement with Sun.
On the other hand, you are also missing the point. StarOffice does not run as root (usually) so it probably cannot trash your entire PC (but maybe your home directory... make backups) PCs with Windows typically don't have this "feature" so a rogue program can muck system files left and right.
Sometimes sysadmins lock down PCs so that users can't kill the PC, but this doesn't always work. I have heard the M$ Office must write to various directories and files so you cannot really secure a PC with Office.
Just my $0.02 - ed
Re:Clients, OS, and Protection. (Score:2)
--
Re:I thought it was open source (Score:2)
And, it's often brought up that since Star Office doesn't run as root, it's less of a threat. Well, on my system, I have the operating system installed as root. EVERYTHING that is important on the system, my documents, my source code, is owned by my own personal user account. Sure, a virus would probably not be able to bring down my system, but it definitely would be able to destroy a lot of things that I need and use and work on every day. My personal loss would be just as large as if I were running a Windows machine.
UNIX security is very good for what it was meant for: protecting the machine from several different users, and protecting the users from each other. It's NOT as good for protecting a single user from himself. The solution to that is to use and build applications that are not wide open to virus exploits, and to make some good backups at regular intervals.
Exactly the problem (Score:1)
Chris Hagar
Re:I thought it was open source (Score:1)
Yet observe that the project of the virus is not to enable people to hurt themselves, but simply to cause trouble.
So if: "UNIX security is very good for what it was meant for: protecting the machine from several different users, and protecting the users from each other"
Is the organisation (employer(s), friend(s), neighbour(s), Internet) better secured by adopting Star Office?
Well I don't think so, because these Unix security benefits only apply when run under Linux/Solaris right? And the point at issue is the relative security of Star v MS Office and NOT Linux v Windows.
Re:I thought it was open source (Score:1)
Though it is good to remember that if you gave someone else an account on your machine, Star Office would not destroy your files if they screwed up. On a Windows box, somewhat different results may occur.
Of course, nothing beats regular backups. Disks sometimes break, and filesystems get corrupted, and sometimes people time rm -rf * without thinking, and you've got to deal with it somehow. Hmmm... good poll, Favorite Backup Method:
Tape
CD-R
Copy to another machine
Floppy
Don't
One think I really like about Unix is the directory setup... you know that if you backup
The other side (Score:2)
I work on forecasting and optimization, and while the actual products are developed in the "normal" environment (Unix/C/C++/Oracle), whenever there is a need for a fast and dirty prototype/proof of concept/visualization/thinking aid, no tool known to me is even close to Excel - the combination of its spreadsheet capabilities plus macro recording plus all standard UI objects plus COMPLETE scriptability are a TOTAL killer.
Maybe I am just ignorant and some other tools provide same functionality AND fine security (please, let me know if that's the case), but until I see them, I maintain that poor security in this case is just a flip side of an honest attempt to have great features and not a pure evil.
Re:UNIX not designed to protect the user from self (Score:1)
Re:The other side (Score:1)
On the other hand, I found Matlab to be an *excellent* prototyping system. All the mathematical functions you could want, powerful graphing abilities, GUI wigets, and you can define your own functions and scripts, too. But because it's not integrated with the operating system, it just always feels safer. And lets be honest, Matlab crashing never took down any Sparcs when I used it. I've managed to kill a PC or two with Excel/VB.
Make that Octave... (Score:1)
less secure when your root (Score:1)
Citrix
Re:The other side (Score:2)
Emacs.
:-)
Universality of functionality can be a Good Thing®, of course. Just consider "undo." The same design that enables universal undo (encapsulating all application actions as a subclass of some generic Action class) makes it very easy to provide scripting as well.
Scripting, however, is not the universal boon that undo is, and I don't mean simply because of security. Frankly, scripting falls on to the wrong side of the 80/20 rule for typical users (and /. users are not typical users of productivity software).
Given that, providing scriptability for use other than by developers (and I would put many sophisticated Excel users in that category - the cell language is a mess, but it is a language) is a questionable investment of resources during product development. Making scripts runnable under anything but direct user control in an untrusted environment (the Internet) may not have been an act of deliberate malice (I make no claims for understanding the Hive Mind of Microsoft®). But if it wasn't an act of malice, it was one of colossal stupidity.
Re:I thought it was open source (Score:1)
How concerned with security can you be if you run as root all the time? UNIX gived you the means to help protect yourself, but if you don't use them thats your own fault.
that like saying "Condoms are no good because I never use them"
. It's NOT as good for protecting a single user from himself.
What is? Air bags are nice, but it doesn't help me If I drive off a cliff!
The solution to that is to use and build applications that are not wide open to virus exploits,
As long as user will run programs without thinking, this will always be a problem. Of course a "real" virus doesn't need users to do there dirty work.
and to make some good backups at regular intervals.
Always good advice.
Re:I thought it was open source (Score:1)
What is? How about:
What saves you then? Same example will go for the other platform as well:
The difference is that the first case done like so...
...will not work, as you know./p