OpenOffice.org recently issued version 3.2, which fixed six vulnerabilities present in previous versions. The vulnerabilities could be exploited for arbitrary code execution or to bypass authentication protection. Remote code-execution vulnerabilities are particularly popular with hackers because users can be targeted by email to get them to open a malicious document, which can then exploit the vulnerability. With over 100 million downloads of OpenOffice.org 3.x, the user base is large enough to attract serious interest from malicious hackers.
According to a study of 11 popular open source applications in 2008 by Fortify Software Inc., enterprises are underestimating the security and business risks of using open source software. One study found that flaws in commercial applications tend to get patched faster than open source ones because the vendors have a lot more at stake. That's open to debate, but certainly some open source projects do lack commercial-grade software change-control processes and testing tools, and if there's a lack of security processes during development, vulnerabilities can become an problem. Mozilla was highlighted as the open source project that took security most seriously, but the report found that many other projects were not building in efficient security in the design and development phases. Many commercial companies have upped their game by adopting a Security Development Lifecycle methodology, and for many the number of vulnerabilities reaching production code has been significantly reduced.
Before implementing any open source software, a risk analysis and code review must be carried out. Good documentation is essential for truly understanding how the application works and for dealing with incidents. The absence of software licensing fees needs to be offset against the costs of training, support and maintenance. Users must receive proper training, as the new software may perform similar functions differently. For example, OpenOffice tends not to have as many pop-up user warnings when opening a macro as Microsoft Office does. If the application introduces any new functionality, such as file sharing, you will need to update your acceptable usage policy to cover how and when these features can be used.
With open source there's no one to call when things go wrong, so check that there is an active and responsive support forum or group from which to draw advice. Another task is to subscribe to the relevant newsgroups that cover developments in your open source software. The OpenOffice.org project includes a security team that publishes its OpenOffice security alerts via a dedicated mailing list. To subscribe to the list, send a blank email to firstname.lastname@example.org. The OpenOffice.org security team also publishes details of security vulnerabilities in its Security Bulletin.
This was first published in March 2010