OpenOffice.org recently issued version 3.2, which fixed six vulnerabilities present in previous versions. The vulnerabilities...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
could be exploited for arbitrary code execution or to bypass authentication protection. Remote code-execution vulnerabilities are particularly popular with hackers because users can be targeted by email to get them to open a malicious document, which can then exploit the vulnerability. With over 100 million downloads of OpenOffice.org 3.x, the user base is large enough to attract serious interest from malicious hackers.
According to a study of 11 popular open source applications in 2008 by Fortify Software Inc., enterprises are underestimating the security and business risks of using open source software. One study found that flaws in commercial applications tend to get patched faster than open source ones because the vendors have a lot more at stake. That's open to debate, but certainly some open source projects do lack commercial-grade software change-control processes and testing tools, and if there's a lack of security processes during development, vulnerabilities can become an problem. Mozilla was highlighted as the open source project that took security most seriously, but the report found that many other projects were not building in efficient security in the design and development phases. Many commercial companies have upped their game by adopting a Security Development Lifecycle methodology, and for many the number of vulnerabilities reaching production code has been significantly reduced.
Before implementing any open source software, a risk analysis and code review must be carried out. Good documentation is essential for truly understanding how the application works and for dealing with incidents. The absence of software licensing fees needs to be offset against the costs of training, support and maintenance. Users must receive proper training, as the new software may perform similar functions differently. For example, OpenOffice tends not to have as many pop-up user warnings when opening a macro as Microsoft Office does. If the application introduces any new functionality, such as file sharing, you will need to update your acceptable usage policy to cover how and when these features can be used.
With open source there's no one to call when things go wrong, so check that there is an active and responsive support forum or group from which to draw advice. Another task is to subscribe to the relevant newsgroups that cover developments in your open source software. The OpenOffice.org project includes a security team that publishes its OpenOffice security alerts via a dedicated mailing list. To subscribe to the list, send a blank email to email@example.com. The OpenOffice.org security team also publishes details of security vulnerabilities in its Security Bulletin.
Dig Deeper on Securing Productivity Applications
Related Q&A from Michael Cobb
Open source NoSQL MongoDB database faced 30,000 insecure instances. Expert Michael Cobb explains the misconfiguration that led to this, and how to ...continue reading
A new Veracode report offers details on common mobile application security risks. Expert Michael Cobb explains these flaws, and what developers can ...continue reading
Juniper firewall products were found to have two backdoor vulnerabilities. Expert Michael Cobb explains how a cryptographic algorithm and hardcoded ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.