OpenOffice security: Concerns when moving from Microsoft Office

What are the major OpenOffice security concerns when transitioning from Microsoft Office? Security expert Michael Cobb explains the potential vulnerabilities between open source and commercial software.

What are some major security concerns when transitioning to OpenOffice? The company I work for is considering moving from Microsoft Office to the OpenOffice productivity suite.
The debate over which is more secure, open source or commercial "shrink-wrap" software is a never-ending one. Certainly well-established, open source projects such as Apache compare favorably against commercial equivalents when it comes to security, and those in favor of open source highlight the continuous security vulnerabilities in commercial software from vendors such as Microsoft and Adobe. Open source developers argue that the openness of the development process allows for more security flaws to be caught. However, software isn't bug-free just because it's open source. Open source software faces the same vulnerabilities as commercial or in-house developed software. recently issued version 3.2, which fixed six vulnerabilities present in previous versions. The vulnerabilities could be exploited for arbitrary code execution or to bypass authentication protection. Remote code-execution vulnerabilities are particularly popular with hackers because users can be targeted by email to get them to open a malicious document, which can then exploit the vulnerability. With over 100 million downloads of 3.x, the user base is large enough to attract serious interest from malicious hackers.

According to a study of 11 popular open source applications in 2008 by Fortify Software Inc., enterprises are underestimating the security and business risks of using open source software. One study found that flaws in commercial applications tend to get patched faster than open source ones because the vendors have a lot more at stake. That's open to debate, but certainly some open source projects do lack commercial-grade software change-control processes and testing tools, and if there's a lack of security processes during development, vulnerabilities can become an problem. Mozilla was highlighted as the open source project that took security most seriously, but the report found that many other projects were not building in efficient security in the design and development phases. Many commercial companies have upped their game by adopting a Security Development Lifecycle methodology, and for many the number of vulnerabilities reaching production code has been significantly reduced.

Before implementing any open source software, a risk analysis and code review must be carried out. Good documentation is essential for truly understanding how the application works and for dealing with incidents. The absence of software licensing fees needs to be offset against the costs of training, support and maintenance. Users must receive proper training, as the new software may perform similar functions differently. For example, OpenOffice tends not to have as many pop-up user warnings when opening a macro as Microsoft Office does. If the application introduces any new functionality, such as file sharing, you will need to update your acceptable usage policy to cover how and when these features can be used.

With open source there's no one to call when things go wrong, so check that there is an active and responsive support forum or group from which to draw advice. Another task is to subscribe to the relevant newsgroups that cover developments in your open source software. The project includes a security team that publishes its OpenOffice security alerts via a dedicated mailing list. To subscribe to the list, send a blank email to [email protected] The security team also publishes details of security vulnerabilities in its Security Bulletin.

This was last published in March 2010

Dig Deeper on Productivity apps and messaging security