Toki, thanks for your useful question. Here are some factors to consider.
1. The Apache OpenOffice project does not vet or review extensions and templates that are produced by third parties and downloadable from the SourceForge extension and template collections. These are all "at your own risk." 2. To the extent that extensions and templates operate at the privilege level of the OpenOffice user, it is possible for extension code to accomplish malicious purposes. 3. There is no sandbox for the operation of extensions generally: access to the internet, the desktop platform, and file systems are not constrained. Basically, it does not require anything so elaborate as the bypassing of FireFox add-on protection described in the Ars Technica article. Multi-component collaborative exploit staging is possible although unnecessary. Part of the problem is that the extension format goes back to OpenOffice.org 1.x and a simpler world. There is also complacency and mythology about OpenOffice not being vulnerable to some of the difficulties that arose in Microsoft Office software of the same and earlier eras. It could be more the case that exploit perpetrators prefer to go where the most victims are to be found. That does not mean other low-hanging fruit escapes attention, as we now know for Linux, Apple, Android, and other products. An upgrade of the extension packaging could provide some auditability. Perhaps the most important upgrade, using a form of ODF 1.2 packaging, would be use of digital signatures to provide a level of authentication on the extension/template source and allow detection of modifications or counterfeits. Other kinds of auditing and forensic analysis require better computer-based tools. Those are lacking generally, not just for extension packages. This is one of those situations where defenses require considerable more effort than attacking, although skill is required for an exploit to go undetected. No concerted effort on this area is foreseen at this time. - Dennis > -----Original Message----- > From: toki [mailto:toki.kant...@gmail.com] > Sent: Thursday, April 7, 2016 03:45 > To: dev@openoffice.apache.org > Subject: Cross Script vulnerabilities in AOo Extensions? > > All: > > In reading > http://arstechnica.com/security/2016/04/noscript-and-other-popular- > firefox-add-ons-open-millions-to-new-attack/ > is the same type of vulnerability is possible with AOo extensions? > > jonathon > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
