Re: Microsoft warning that potentially affect us ?

Thu, 07 Nov 2013 01:34:07 -0800 

On 6 Nov 2013, at 13:51, Raphael Bircher <r.birc...@gmx.ch> wrote:

> Am 06.11.13 13:46, schrieb Rob Weir:
>> On Wed, Nov 6, 2013 at 1:59 AM, janI <j...@apache.org> wrote:
>>> Hi.
>>> 
>>> I just read this warning from microsoft (after a hint on infra):
>>> http://www.computerworld.com.au/article/531046/microsoft_warns_office_zero-day_active_hacker_exploits/?utm_medium=rss&utm_source=sectionfeed
>>> 
>>> aoo imports office 2007 documents, so could it be a problem for us too ?
>>> 
>> Not enough information to tell for certain, but it is unlikely  Such
>> attacks usually exploit specific parsing code in the application and
>> depend on the data structures and memory layout.  Since we don't have
>> the same parsing code we're unlikely to have the vulnerabilities.
>> 
>> The exception would be cases like the WMF flaws of a few years ago,
>> where the format itself had exploitable design flaws.  In that case
>> many applications, following the WMF specification, had the same flaw.
>>  So Windows itself had the flaw, but also the WINE emulator.  The flaw
>> we fixed in CVE-2012-0037 is similar, a format-level design issue that
>> impacted several ODF implementations.
>> 
>> So that's the thing to look for, as more information is made available
>> -- is this exploiting a flaw in the MS Office code (likely) or a more
>> generic flaw in the TIFF format (less likely).

> This discoussion should be at security@ or minimum on private@.

May be a good thing to see if this community can (re)establish a link to a few 
lead developers on the Microsoft Office side. It never hurts (for both parties) 
to have such commchannels ready in the wings. Because you never know when you 
need them - and when you need them there is usually not the time to build the 
requisite trust through the formal channels.

So if you have (or are) the right person at microsoft in your rolodex - not a 
bad idea to drop  someone on the PMC or security@ a note and/or introduce 
people privately and off-list.

Thanks,

Dw (whose faith in humanity got modded-up several times in the last 2 decades 
    each time corporate interests are put aside by individuals and a cabal of 
    companies to quell a security problem colletively).




---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Reply via email to