Security Watch

OpenOffice Vulnerabilities Discovered

Flaws in OpenOffice could allow for malicious code exploits. Plus, a U.S. business group publishes a report on national Internet disaster recovery and a blog on strong passwords.

Three vulnerabilities have been reported in OpenOffice. The first could allow a malicious Java applet, embedded in an OpenOffice document, to bypass the Java sandbox restrictions. The second involves macros embedded in documents, which could allow for basic code of the attacker's choice to run. The third involves improper handling of XML document elements and could allow arbitrary code of the attacker's choice to run.

Ok, someone should explain this to us. Should three such vulnerabilities be discovered in Microsoft Office products, the news makes the front page of media outlets the world over...but OpenOffice vulnerabilities excite few.

Clearly being able to bypass the Java sandbox violates all principles of security; what's the sandbox for if not to stop malicious code? Macro problems had plagued Microsoft Office products for years, but once code signing and macro restriction features were added, they faded away. The OpenOffice developers would have done well to pay a bit more attention to their Microsoft counterpart.

Finally, the XML issue is one of the most basic problems XML parsers face, namely, "How do you determine whether something is code to be executed, or merely data?" XML constantly presents this problem to all applications that use it, as HTML does equally. Unfortunately, XML is still being understood by developers and is far too often seen as merely data. Furthermore, XSD or XML schemas are not being used widely enough to ensure that parsers will know what to expect within the XML document. Until that problem is resolved, we will likely see more applications with problems such as these.

U.S. Unprepared For Net Meltdown, Blue Chips Warn
An interesting group of top executives have suggested (PDF) that the United States must do more to prepare for a potential massive Internet outage.

The Business Roundtable is an organization of numerous private sector managers throughout the U.S. The group boasts $4.5 trillion dollars in annual revenues and nearly half of all private sector research and development spending in the U.S.

Last year it established "fortifying the Internet and the infrastructure that supports Internet health" as one of its top priorities. To that end, it conducted numerous meetings to determine the gaps that exist in the national policies and procedures to reconstitute the Internet after a national disaster that disrupts Internet connectivity on a wide scale.

The final report documents three such gaps:

1. Lack of formal "tripwires" to indicate an attack is under way.

No formalized method exists to identify that an attack of significance is under way, unlike early warning systems for, say, weather events.

2. Lack of accountability and clarity on which institutions provide reconstitution support.

There is no organization such as the Center for Disease Control (CDC) that would be responsible for coordinating reconstitution efforts across government and private sectors. Also, no formal management agreements exist in those organizations that have been identified to participate, relying instead on volunteerism and ad hoc understandings.

3. Lack of resources for institutions that must reconstitute Internet infrastructure.

The group is concerned that inadequate funding has been identified for organizations that are named as having leading roles in a reconstitution effort and that those meager resources have not been earmarked for reconstitution versus other efforts they undertake. Also, support resources, such as diesel fuel for ISP generators, have not been prioritized.

Want More Security?

This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

The group has provided numerous recommendations to address the three highlighted gaps. They will appear obvious to the reader as recommendations one would have already expected to be in place and could be applied to any country or region. Of most interest to us was the point regarding public trust and market confidence. Should a massive disruption occur, and not be resolved quickly, such trust and confidence will be immediate as individuals find themselves unable to: use their cell phone, send e-mail, receive digital radio or cable TV, or communicate via SMS or instant messaging.

The document represents a significant attempt at rationalizing the persistent fear of a "digital Pearl Harbor" against the realities of a dramatic lack of formalized coordination should such an event occur. It provides suggestions to corporations about establishing contact points and formalized procedures to handle massive outages and highlights issues that may have been overlooked in the past. All in all it is worth the read and we can only hope that many aspects are adopted, both by government and the private sector.

How To Create Easy-To-Remember Strong Passwords Using Patterns
Can you find the relationship between "JI75", and "7ujmnbg%TGB"?

Jimmy Kuo, a senior research fellow at NAI, published an interesting blog entry regarding "keyboard pattern passwords." Basically, he describes how using a letter to represent a sequence of keys on the keyboard can translate into numerous strong passwords that need not be remembered. Instead, you simply remember the letters you're using in your pattern and starting points on the keyboard for each pattern. In the example above, Jimmy used the keyboard patterns of the letters "J" and "I," and starting points of the number "7" and "5." Well worth the read.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq, www.ntbugtraq.com, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

comments powered by Disqus
Most   Popular