OpenOffice.org recently issued version 3.2, which fixed six vulnerabilities present in previous versions. The vulnerabilities...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
could be exploited for arbitrary code execution or to bypass authentication protection. Remote code-execution vulnerabilities are particularly popular with hackers because users can be targeted by email to get them to open a malicious document, which can then exploit the vulnerability. With over 100 million downloads of OpenOffice.org 3.x, the user base is large enough to attract serious interest from malicious hackers.
According to a study of 11 popular open source applications in 2008 by Fortify Software Inc., enterprises are underestimating the security and business risks of using open source software. One study found that flaws in commercial applications tend to get patched faster than open source ones because the vendors have a lot more at stake. That's open to debate, but certainly some open source projects do lack commercial-grade software change-control processes and testing tools, and if there's a lack of security processes during development, vulnerabilities can become an problem. Mozilla was highlighted as the open source project that took security most seriously, but the report found that many other projects were not building in efficient security in the design and development phases. Many commercial companies have upped their game by adopting a Security Development Lifecycle methodology, and for many the number of vulnerabilities reaching production code has been significantly reduced.
Before implementing any open source software, a risk analysis and code review must be carried out. Good documentation is essential for truly understanding how the application works and for dealing with incidents. The absence of software licensing fees needs to be offset against the costs of training, support and maintenance. Users must receive proper training, as the new software may perform similar functions differently. For example, OpenOffice tends not to have as many pop-up user warnings when opening a macro as Microsoft Office does. If the application introduces any new functionality, such as file sharing, you will need to update your acceptable usage policy to cover how and when these features can be used.
With open source there's no one to call when things go wrong, so check that there is an active and responsive support forum or group from which to draw advice. Another task is to subscribe to the relevant newsgroups that cover developments in your open source software. The OpenOffice.org project includes a security team that publishes its OpenOffice security alerts via a dedicated mailing list. To subscribe to the list, send a blank email to email@example.com. The OpenOffice.org security team also publishes details of security vulnerabilities in its Security Bulletin.
Dig Deeper on Securing Productivity Applications
Related Q&A from Michael Cobb
A malicious app called Black Jack Free was able to bypass Google Play's app store security. Expert Michael Cobb explains the threat and how ...continue reading
SandJacking, a new iOS attack technique, uses an XCode certificate flaw to load malicious apps onto devices. Expert Michael Cobb explains how the ...continue reading
Oracle has moved from using a modified version of CVSS v2.0 to CVSS v3.0. Expert Michael Cobb explains criticism of the old version, and the changes ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.