You might have read some news articles stating OpenOffice.org being insecure, maybe even less secure than Microsoft Office.

All these articles are based on the article "In-depth analysis of the viral threats with OpenOffice.org documents", set to be published in "Journal in Computer Virology".

The article talks about conceptual problems only, not about security exploits where security checks are bypassed.

From this point of view, there can't be a big difference between OpenOffice.org and Microsoft Office. Both come with a scripting language to enable the user to write powerful and sophisticated macros. I already wrote about this here.

All scenarios described in the article have one thing in common: They rely on some initial infection ("primo infection") of the system.

There are two ways for achieving this:

• The user starts some executable containing a virus or trojan

• The user loads a document with malicious macros which are (automatically) executed

So how does it come to the infection?

Normally users shouldn't start any executable they receive via email or from strange web sites.
But maybe some vulnerable code from the browser or any other program does it automatically...

Users shouldn't run macros from unknown documents.
In OpenOffice.org they get a security warning when loading such documents, and must explicitly allow macro execution...

It doesn't matter how the primo infection is done, what matters here is that a primo infection is done in some way, and that this infection code can do anything with current users privileges.

The code doing that infection does not have to be limited to making modifications to OOo, for example to disable security checks or for injecting some virus code into OOo macros.
The primo infection code can also update system wide or user specific (auto) start scripts or infect popular files like the shell binaries, browser and email clients, or install a key logger.

So if you start some malicious code on your system, it's not only OOo you have to worry about...

If you are interested in some more annotations on the different things stated in the article, you can find them in a separate blog entry which I will post soon.