OpenOffice Vulnerabilities Discovered
Flaws in OpenOffice could allow for malicious code exploits. Plus, a U.S. business group publishes a report on national Internet disaster recovery and a blog on strong passwords.
Three vulnerabilities have been reported in OpenOffice. The first could allow
a malicious Java applet, embedded in an OpenOffice document, to bypass the Java
sandbox restrictions. The second involves macros embedded in documents, which
could allow for basic code of the attacker's choice to run. The third
involves improper handling of XML document elements and could allow arbitrary
code of the attacker's choice to run.
Ok, someone should explain this to us. Should three such vulnerabilities be
discovered in Microsoft Office products, the news makes the front page of media
outlets the world over...but OpenOffice vulnerabilities excite few.
Clearly being able to bypass the Java sandbox violates all principles of security;
what's the sandbox for if not to stop malicious code? Macro problems had
plagued Microsoft Office products for years, but once code signing and macro
restriction features were added, they faded away. The OpenOffice developers
would have done well to pay a bit more attention to their Microsoft counterpart.
Finally, the XML issue is one of the most basic problems XML parsers face,
namely, "How do you determine whether something is code to be executed,
or merely data?" XML constantly presents this problem to all applications
that use it, as HTML does equally. Unfortunately, XML is still being understood
by developers and is far too often seen as merely data. Furthermore, XSD or
XML schemas are not being used widely enough to ensure that parsers will know
what to expect within the XML document. Until that problem is resolved, we will
likely see more applications with problems such as these.
U.S. Unprepared For Net Meltdown, Blue Chips Warn
An interesting group of top executives have suggested
(PDF) that the United States must do more to prepare for a potential
massive Internet outage.
The Business Roundtable is an organization of numerous private sector managers
throughout the U.S. The group boasts $4.5 trillion dollars in annual revenues
and nearly half of all private sector research and development spending in the
Last year it established "fortifying the Internet and the infrastructure
that supports Internet health" as one of its top priorities. To that end,
it conducted numerous meetings to determine the gaps that exist in the national
policies and procedures to reconstitute the Internet after a national disaster
that disrupts Internet connectivity on a wide scale.
The final report documents three such gaps:
1. Lack of formal "tripwires" to indicate an attack is under way.
No formalized method exists to identify that an attack of significance is under
way, unlike early warning systems for, say, weather events.
2. Lack of accountability and clarity on which institutions provide reconstitution
There is no organization such as the Center for Disease Control (CDC) that
would be responsible for coordinating reconstitution efforts across government
and private sectors. Also, no formal management agreements exist in those organizations
that have been identified to participate, relying instead on volunteerism and
ad hoc understandings.
3. Lack of resources for institutions that must reconstitute Internet infrastructure.
The group is concerned that inadequate funding has been identified for organizations
that are named as having leading roles in a reconstitution effort and that those
meager resources have not been earmarked for reconstitution versus other efforts
they undertake. Also, support resources, such as diesel fuel for ISP generators,
have not been prioritized.
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here.
The group has provided numerous recommendations to address the three highlighted
gaps. They will appear obvious to the reader as recommendations one would have
already expected to be in place and could be applied to any country or region.
Of most interest to us was the point regarding public trust and market confidence.
Should a massive disruption occur, and not be resolved quickly, such trust and
confidence will be immediate as individuals find themselves unable to: use their
cell phone, send e-mail, receive digital radio or cable TV, or communicate via
SMS or instant messaging.
The document represents a significant attempt at rationalizing the persistent
fear of a "digital Pearl Harbor" against the realities of a dramatic
lack of formalized coordination should such an event occur. It provides suggestions
to corporations about establishing contact points and formalized procedures
to handle massive outages and highlights issues that may have been overlooked
in the past. All in all it is worth the read and we can only hope that many
aspects are adopted, both by government and the private sector.
How To Create Easy-To-Remember Strong Passwords Using
Can you find the relationship between "JI75", and "7ujmnbg%TGB"?
Jimmy Kuo, a senior research fellow at NAI, published an interesting blog
entry regarding "keyboard pattern passwords." Basically, he
describes how using a letter to represent a sequence of keys on the keyboard
can translate into numerous strong passwords that need not be remembered. Instead,
you simply remember the letters you're using in your pattern and starting points
on the keyboard for each pattern. In the example above, Jimmy used the keyboard
patterns of the letters "J" and "I," and starting points
of the number "7" and "5." Well worth the read.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.