Windows & .NET Magazine Security UPDATE--September 10, 2003

1. In Focus: A Suite Spot for Better Office Security?

by Mark Joseph Edwards, News Editor, mark@ntsecurity.net

I think all of you know that Microsoft Office is a powerful suite of tools that offers tremendous productivity in any environment. If you haven't heard about the latest security patches for Microsoft Office, which affect Office 2000 through Office 2003, be sure to read about them in this edition of Security UPDATE.

The problems are related to Microsoft Word macros, conversion of Corel WordPerfect files, Visual Basic for Applications (VBA), and the Microsoft Access Snapshot viewer. You should definitely consider loading the associated patches because the problems could present unwanted security risks in your environment if left unpatched. In addition to other means, you can check for new Office updates, whether related to security or otherwise, at the Microsoft Office Online Web site \[http://www.officeupdate.com/downloads/default.aspx\] and the Microsoft Office Preview Web site \[http://www.microsoft.com/office/ork/2003/admin/xp/default.htm\].

Office is the default suite of choice for many companies whose systems run on Windows platforms. You probably also know about alternatives to Office, but have you heard about the OpenOffice.org alternative?

OpenOffice.org \[http://www.openoffice.org\] is an open-source suite of tools similar to Office. As you might expect of an office productivity suite \[http://www.openoffice.org/product\], OpenOffice.org includes a word processor (Writer), a spreadsheet (Calc), a multimedia presentation creator (Impress), a graphics illustration platform (Draw), and database tools.

To learn about the notable differences between OpenOffice.org and Office, study the literature at the associated Web site and download and test a copy on your network. One major difference is that OpenOffice.org uses Java and JavaScript instead of Visual Basic (VB), which could be a security benefit in your environment--because malicious VB scripts embedded in documents won't work against your systems. Another major difference is cross-platform support: OpenOffice.org runs on Windows, Linux variants, Sun Microsystems' Sun Solaris, and Mac OS X. For mixed platform environments, that's quite an attraction. And, of course, a huge difference is in the cost of licensing: OpenOffice.org has no licensing fee. As open source, it's free, and you can read about the associated licensing \[http://www.openoffice.org/license.html\]. But keep in mind, free doesn't mean poor quality. OpenOffice.org is definitely a quality product.

When I first heard about OpenOffice.org, I was skeptical. I've used Microsoft Office components for years, and I wondered whether I'd lose any functionality or find OpenOffice.org documents to be incompatible in some way. For example, I create or read a lot of text documents, spreadsheets, and presentation files that Microsoft Office users must be able to open, so compatibility was a cause for concern. My concerns were unwarranted.

I downloaded OpenOffice.org (in .iso file format), created an installation CD-ROM by using the .iso file, and "test drove" OpenOffice.org for several months. The ease of use is considerable--it took very little time for me to adjust to the platform. So far, I've encountered only one document with which I had noticeable formatting problems with the onscreen display. (I'm not sure what caused the problem, but the onscreen layout wasn't quite right.) I suspect the Word document I was viewing had been created with a very old version of Word; however, I could be wrong. But other than that, I've found no compatibility concerns to speak of.

Aside from the idea that intruders don't target OpenOffice.org platforms nearly as frequently as Microsoft Office, other security considerations could make the software either beneficial or detrimental. On September 25 at the VB2003 conference in Toronto, Sami Rautiainen of F-Secure will give a presentation about OpenOffice.org security (Virus Bulletin hosts the session).

Rautiainen will discuss the OpenOffice.org security model, its environment, restrictions for executable content, the native macro language, and XML file format OpenOffice.org uses. In his presentation, he'll discuss whether "OpenOffice developers \[have\] taken into account the pitfalls shown by the history of the Microsoft Office or is OpenOffice the next victim of the abuse of macro viruses?" Learn more about the conference \[https://www.virusbtn.com/conference/vb2003/index.xml\], its tracks, and Rautiainen's presentation \[https://www.virusbtn.com/conference/vb2003/abstracts/srautiainen03.xml\].

OpenOffice.org might be a good alternative to Microsoft Office for your environment. Because so many intruders target Microsoft software, using an alternative might reduce your risks, so consider taking a closer look at this alternative office suite. If you've used OpenOffice.org and have comments to share, please send me an email messages with your observations and opinion.