Update on my Black Hat 2009 OOo Security comments

I have to correct something that I just wrote in my Black Hat 2009 OOo Security comments.

My colleague who is working on the encryption stuff just pointed me to the fact that we have fixed the bug with macros in encrypted documents sometimes not being encrypted, but that we don't show the warning  that I mentioned. Reason was (again) the compatibility thing.

I am really sorry for my false statement about this, and that the attack described in the paper (replacing encrypted macros with plain text macros) still works in OOo 3.0 and 3.1.

I will do my best that we change this in the upcoming OOo 3.2 version, and show the warning as promised...


Comments:

Malte, remember that OpenOffice by default has macro security level in high. That means that only signed macros form trusted sources are allowed to run. Unsigned macros are disable.
If you replace an encrypted macro with plain text macro OpenOffice warn about it.
So the attack described in a default installation could not be possible.

Posted by tuxwarrior on May 12, 2009 at 06:07 PM CEST #

Hi tuxwarrior,

you are right, but

a) it's just the default level - could have been changed by the user to medium or low
(I guess the option "low" should better be removed - but I am not sure about side effects for office automation projects)

b) it's really a serious issue when macros in an encrypted document can have been manipulated w/o letting the user know that this could have happened.

Posted by guest on May 13, 2009 at 03:17 AM CEST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Malte Timmermann

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today