Document Actions
|
|
06/30/2006
OpenOffice.org 2.0.3 has been announced as out !
(french version is expected in the coming hours)
This announcement provides a security bulletin dealing with 3 potential vulnerabilities detected by internal security audits.
if you can not install this new 2.0.3 version for whatever reason, the issue dealing with java applet can be countered as mentionned on the Java Applets, CVE-2006-2199 dedicated page
(be carefull that other issues remain !!)
The solution proposed works great by deactivating java applets but is not so easy to deploy at large scale or for regular users. So i used the OOo Tools for what they are made for : The UNO Package concept that allow to create great extensions but also deploy configuration settings
So this addon reproduces what is proposed on the CVE page. It works for OOo 2.x as well as OOo 1.x
To deploy under OOo 2.x
To deploy under OOo 1.x
Note that running these command lines with the -s switch (for share) let you deploy the addon for all your users
For testing that the patch has been applied correctly, you can insert an applet (eg. the JavaClock.class can be used for testing purpose) and see if it does not run.
You insert a java Applet though
This check also apply to already created document containing applets
(french version is expected in the coming hours)
This announcement provides a security bulletin dealing with 3 potential vulnerabilities detected by internal security audits.
if you can not install this new 2.0.3 version for whatever reason, the issue dealing with java applet can be countered as mentionned on the Java Applets, CVE-2006-2199 dedicated page
(be carefull that other issues remain !!)
The solution proposed works great by deactivating java applets but is not so easy to deploy at large scale or for regular users. So i used the OOo Tools for what they are made for : The UNO Package concept that allow to create great extensions but also deploy configuration settings
So this addon reproduces what is proposed on the CVE page. It works for OOo 2.x as well as OOo 1.x
To deploy under OOo 2.x
- Tools > Package Manager > add and select the zip file
or
- launch <OOoInstall>/program/unopkg <ZipFilePath>
To deploy under OOo 1.x
- launch <OOoInstall>/program/pkgchk <ZipFilePath>
Note that running these command lines with the -s switch (for share) let you deploy the addon for all your users
For testing that the patch has been applied correctly, you can insert an applet (eg. the JavaClock.class can be used for testing purpose) and see if it does not run.
You insert a java Applet though
- Insert > Object > Applet
This check also apply to already created document containing applets
06/15/2006
L'appel à commentaire du Réferentiel Général
d'Interropérabilité de la DGME touche à sa fin.
Un volet important concerne le format de fichier bureautique et des règles concernant OpenDocument sont proposées et discutées.
L'Alliance OpenDocument, dont Nuxeo est membre, publie une lettre ouverte à destination du Directeur de l'Agence de Modernisation de L'Etat afin de souligner les bénéfices et opportunités du format OpenDocument (ODF) pour l’Administration Française en mettant en avant les gains en terme d'indépendance, d'interopérabilité, d'innovation et préservation de l’héritage culturel entre autres.
OpenDocument est le format de fichier de référence d'OpenOffice.org (et d'autres suites bureautiques) et désormais reconnu par la plateforme CPS
Un volet important concerne le format de fichier bureautique et des règles concernant OpenDocument sont proposées et discutées.
L'Alliance OpenDocument, dont Nuxeo est membre, publie une lettre ouverte à destination du Directeur de l'Agence de Modernisation de L'Etat afin de souligner les bénéfices et opportunités du format OpenDocument (ODF) pour l’Administration Française en mettant en avant les gains en terme d'indépendance, d'interopérabilité, d'innovation et préservation de l’héritage culturel entre autres.
OpenDocument est le format de fichier de référence d'OpenOffice.org (et d'autres suites bureautiques) et désormais reconnu par la plateforme CPS
Posted by Laurent Godard @ 06/15/2006 11:54 AM.
-
Categories:
indesko,
nuxeo,
openoffice
-
0 comments
06/07/2006
Past days, i've uploaded some new dictionaries on the lingucomponent master
server. DicOOo will now propose the following (once fully propagated):
Special mention to Bruno Gallart for its work on Occitan spellchecker !
- Occitan (languedoc) spellchecking (new) referenced as
oc_FR
- Croatian spellchecking (update) and hyphenator
(new) referenced as hr_HR and hyph_hr_HR
- Hebrew spellchecker (update) referenced as he_IL
Special mention to Bruno Gallart for its work on Occitan spellchecker !
06/05/2006
Stardust "proof of concept" virus has been announced by an anti-virus
editor.
At first, let state one thing : "Macros and extensions, like any program, are active Things and then can hurt"
Once this said, we can not call all macros viruses !
A virus needs to replicate, propagate, most often silently ...
The stardust "thing", does nothing of this. By default OOo asks for every run of a macro and any administrator or user can even disable this feature or restrict macros to some trusted sources directories. The user has to explicitly accept running a program. So nothing to notice there
Among Pavel's announcements with its as usual accurate wordings : only waste of time
Some relay of other anti-virus editors are even more ridiculous as stardust is identified as XML virus under the name XML_DUSTAR: hey, a new beast is born
All of this is restricted to StarOffice, so let me introduce my own OOoDust as a first state of reflexion in building the new malware engines of coming years
to activate it is rather simple
It is obvious that OOo and StarOffice will be hurt soon by some malware attacks, but, guys, this not for this time. The dust of this advertisement smoke of anti-virus editors is easily dissipating while examinating the process ...
Btw, OpenOffice.org project has a structure for reporting any suspicious behaviour, so feel free to contact us
As stated in the official OOo first reaction
"the consistent message from security experts [is] that users should never accept files from unknown sources".
At first, let state one thing : "Macros and extensions, like any program, are active Things and then can hurt"
Once this said, we can not call all macros viruses !
A virus needs to replicate, propagate, most often silently ...
The stardust "thing", does nothing of this. By default OOo asks for every run of a macro and any administrator or user can even disable this feature or restrict macros to some trusted sources directories. The user has to explicitly accept running a program. So nothing to notice there
Among Pavel's announcements with its as usual accurate wordings : only waste of time
Some relay of other anti-virus editors are even more ridiculous as stardust is identified as XML virus under the name XML_DUSTAR: hey, a new beast is born
All of this is restricted to StarOffice, so let me introduce my own OOoDust as a first state of reflexion in building the new malware engines of coming years
sub OOoDust()
print "You're infected"
end sub
to activate it is rather simple
- open a new document
- open the macro editor (tools > macros > ....)
- create a new module
- copy the virus in this module
- save your document
- restart OOo (or send your file to a target)
- open your document
- agree on activating macro after reading the message
- go to macro editor (tools > macro ..)
- launch the evil macro OOoDust
It is obvious that OOo and StarOffice will be hurt soon by some malware attacks, but, guys, this not for this time. The dust of this advertisement smoke of anti-virus editors is easily dissipating while examinating the process ...
Btw, OpenOffice.org project has a structure for reporting any suspicious behaviour, so feel free to contact us
As stated in the official OOo first reaction
"the consistent message from security experts [is] that users should never accept files from unknown sources".
Posted by Laurent Godard @ 06/05/2006 01:16 PM.
-
Categories:
openoffice
-
0 comments
Last modified:
01/25/2005 07:20 PM
Nuxeo Bloggers: Log in!
Search Nuxeo Blogs
About this blog
Laurent Godard
Nuxeo Bloggers
- Stefane Fermigier
- Florent Guillaume
- Julien Anguenot
- Lennart Regebro
- Bogdan Stefanescu
- Tarek Ziadé
- Laurent Godard
- Arnaud Lefèvre
- Ruslan Spivak
- Eric Barroca
- Myriam Lechelt
- Anahide Tchertchian
- Cedric Bosdonnat
- Thibaut Soulcié
- Georges Racinet
- Eugen Ionica
- Bassem Asseh
- Thierry Delprat
- Agnes Souque
- Alain Escaffre
- Steve Raby
Photos and Pictures