Page 2 sur 2Précédent 1, 2OpenOffice serait plus dangereux que MS Office selon...

[pierre-yves]

Sinon pour résoudre le problème il suffirait d'être dans une sessions Windows avec droits limités, non ?

ça empêcherait de détruire des fichiers système mais pas les documents de l'utilisateur....

[sirakawa]

Macro, CVE-2006-2198
Macro Vulnerability

* Synopsis: Security Vulnerability With Macros in OpenOffice.org
* Issue ID: 66863
* State: Resolved

1. Impact

A security vulnerability in OpenOffice.org may make it possible to inject basic code into documents which is executed upon loading of the document. The user will not be asked or notified and the macro will have full access to system resources with current user's privileges. As a result, the macro may delete/replace files, read/send private data and/or cause additional security issues.

Note: Disabling document macros will not prevent this issue.

[Totophe]

Heu, si je comprends bien, il y a une faille de sécurité dans OpenOffice pour Windows ?
Dans ce cas, "Yaka" utiliser Linux pis voila

non?

[Téthis]

Macro, CVE-2006-2198
Macro Vulnerability

* Synopsis: Security Vulnerability With Macros in OpenOffice.org
* Issue ID: 66863
* State: Resolved

Sais-tu comment fonction le système des advisories ? On ne les diffuse pas sans que l'éditeur est été prévenu et sans délai.

Je peux te dire qu'en un semaine il y a eu du ménage de fait.

Package : openoffice.org
Vulnerability : several
Problem type : local (remote)
Debian-specific: no
CVE IDs : CVE-2006-2198 CVE-2006-2199 CVE-2006-3117

Several vulnerabilities have been discovered in OpenOffice.org, a free
office suite. The Common Vulnerabilities and Exposures Project
identifies ***spam*** problems:

CVE-2006-2198

It turned out to be possible to embed arbitrary BASIC macros in
documents in a way that OpenOffice.org does not see them but
executes them anyway without any user interaction.

CVE-2006-2199

It is possible to evade the Java sandbox with specially crafted
Java applets.

CVE-2006-3117

Loading malformed XML documents can cause buffer overflows and
cause a denial of service or execute arbitrary code.

Package : openoffice.org
Vulnerability : several
Problem type : local (remote)
Debian-specific: no
CVE ID : CVE-2006-3117

Loading malformed XML documents can cause buffer overflows in
OpenOffice.org, a free office suite, and cause a denial of service or
execute arbitrary code. It turned out that the correction in DSA
1104-1 was not sufficient, hence, another update.

Tiré d'une ML de securityfocus

[Faj]

L'article ne donne pas la precision, mais ne devrait-on pas lire "OpenOffice plus dangereux que MS Office sous MS Windows' ?

Juste auguste
On peut aussi se poser la question "plus dangereux car menace des emplois au sein du Ministère de la Défense"
Quand je pense au temps qu'un technicien (celui de mon département par exemple) passe à se battre avec les bugs de Windouche

[Téthis]

Dites les gars, arrêtez de vous masturber les neurones aux manchots. Puisqu'il n'y a pas officiellement de MSO sous Linux, les failles ne sont pas dangeureuse car la comparaison OOo/MSO ne tient pas ?

Les réponses sur la ML securityfocus

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2006:118
http://www.mandriva.com/security/
_______________________________________________________________________

Package : OpenOffice.org
Date : July 7, 2006
Affected: 2006.0, Corporate 3.0
_______________________________________________________________________

Problem Description:

OpenOffice.org 1.1.x up to 1.1.5 and 2.0.x before 2.0.3 allows user-complicit
attackers to conduct unauthorized activities via an OpenOffice document with
a malicious BASIC macro, which is executed without prompting the user.
(CVE-2006-2198)

An unspecified vulnerability in Java Applets in OpenOffice.org 1.1.x up to
1.1.5 and 2.0.x before 2.0.3 allows user-complicit attackers to escape the
Java sandbox and conduct unauthorized activities via certain applets in
OpenOffice documents. (CVE-2006-2199)

Heap-based buffer overflow in OpenOffice.org 1.1.x up to 1.1.5 and 2.0.x
before 2.0.3 allows user-complicit attackers to execute arbitrary code via a
crafted OpenOffice XML document that is not properly handled by (1) Calc,
(2) Draw, (3) Impress, (4) Math, or (5) Writer, aka "File Format / Buffer
Overflow Vulnerability." (CVE-2006-3117)

Updated packages are patched to address this issue.

A security issue affects ***spam*** Ubuntu releases:

Ubuntu 5.04
Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 5.04:
openoffice.org-bin 1.1.3-8ubuntu2.4

Ubuntu 6.06 LTS:
openoffice.org-base 2.0.2-2ubuntu12.1
openoffice.org-common 2.0.2-2ubuntu12.1
openoffice.org-core 2.0.2-2ubuntu12.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Ubuntu 5.10 is also affected by these flaws. Updated packages will be
provided shortly.

Details follow:

It was possible to embed Basic macros in documents in a way that
OpenOffice.org would not ask for confirmation about executing them. By
tricking a user into opening a malicious document, this could be
exploited to run arbitrary Basic code (including local file access and
modification) with the user's privileges. (CVE-2006-2198)

A flaw was discovered in the Java sandbox which allowed Java applets
to break out of the sandbox and execute code without restrictions. By
tricking a user into opening a malicious document, this could be
exploited to run arbitrary code with the user's privileges. This
update disables Java applets for OpenOffice.org, since it is not
generally possible to guarantee the sandbox restrictions.
(CVE-2006-2199)

A buffer overflow has been found in the XML parser. By tricking a user
into opening a specially crafted XML file with OpenOffice.org, this
could be exploited to execute arbitrary code with the user's
privileges. (CVE-2006-3117)

C'est quoi Ubuntu et Mandriva, uniquement des versions de Windows ?

Les failles relatées sont très dangereuses. Ce qui a fait (fait encore ?) d'OOo un problème de sécurité. Peut importe que ce soit sous Linux ou Windows.

Quand on est interviewé, on ne choisit généralement pas le titre de l'article, ni ne contrôlons la présentation de notre message.