Expected New Features in Upcoming OpenOffice.org 3.2

In his blog entry Security and Privacy Feature Improvements in upcoming OpenOffice.org 3.2 Malte Timmermann considers features users will find in the next release of the solution.

Timmermann lists some of the issues OOo had, followed by the improvements users can expect in this next release:

Encrypted documents: Macros can be added, replaced or removed. Here he notes that users will no longer be able to add unencrypted macro streams or replace existing streams with unencrypted versions.

META-INF/manifest.xml and META-INF/documentsignatures.xml themselves are not signed: In the new release, the definition for document signatures states that all streams in the ODF package, including manifest.xml, must be covered by the document signatures, adding that the only exception is that the signature stream itself might be excluded.

Attacker can add non-declared file (in particular one or more malicious macros): In this case, Timmermann recommends that users make sure that all files are declared in manifest.xml, noting that OOo 3.2 will make this check for ODF 1.2 documents. He also notes that the ODF 1.2 specification will state more clearly that all files need to be registered in manifest.xml, and he cautions that because older versions of OOo already registered all files in manifest.xml, it might be worth discussing if this check could/should also be done for older documents.

Replacing an encrypted macro with a plaintext (malicious) macro: As previously noted, OOo 3.2 will not accept any unencrypted streams in encrypted documents, independent from the ODF version used in the document.

Additional improvements to expect, Timmermann concludes, are that ODF 1.2 now allows for using different encryption algorithms, and all details about the algorithms used need to be documented in the manifest.xml (which is the reason that the manifest.xml itself can't be encrypted). These ODF enhancements have been submitted to the OASIS ODF TC, and OOo 3.2 already implements them, he notes. He adds that this only means OOo would put all needed information into manifest.xml, though not that OOo would have new built-in encryption algorithms yet.

OOo 3.2 is not final now, Timmermann writes, telling readers to expect the final version to be available at the end of November. He also points out that downloads should be made only from trusted sources, such as the OpenOffice.org Web site.

More Information

Cautions on Downloading OpenOffice.org only from trusted sites [...read more...]

Keywords:

Other articles in the OpenOffice section of Volume 140, Issue 2:

Expected New Features in Upcoming OpenOffice.org 3.2

See all archived articles in the OpenOffice section.

From the latest issue:

Top 10 Most Popular Articles in Current Issue (Vol 145, Issue 2)
Sun Certification Under Oracle New Oracle-Sun Downloads Oracle's Third Fiscal Quarter Earnings Due March 25 Differences Between OpenSolaris and Linux Oracle's Xen-based Server Virtualization Could Challenge Competitors	Sun Unified Storage System 2010.02 eWEEK's Top 25 Technologies Of The Decade Can MySQL and Oracle Database Coexist Under Oracle? Oracle Announces Some of Its Bets Oracle SOA Governance 11g

Recent Blog Entries as of March 20, 2010, 4:31 pm
Oracle Works to Assuage the Anxieties of Its Customers SysAdmin News Bites Oracle Enterprise Manager Ops Center Released Suits and Their Countersuits A More Direct Channel Model Planned for Oracle-Sun	The Importance of Information Storage and Management Sun POJO Service Engine User's Guide Sun Storage 7000 2010.Q1 Quality and Features PSA Deploys GlassFish in the Manufacture of Peugeot, Citroën Vehicles Running VirtualBox VMs as Services in Windows
Blog RSS Feed