OpenOffice.org Security and VBA Macros
A comment on my recent VBA Macros update asks several questions about security for macros in OpenOffice.org.
I asked Noel Power to help me out, and he graciously provided us with some brief answers to show some of what he is thinking about regarding security for macros.
- Are you guys going to do anything about security?
Openoffice.org is serious about security. Recently a dedicated team has been set up to respond to security issues. That team are continually evaluating the security aspects of the application, some insightful comments from one of the Openoffice.org security experts can found here. - Will you retrofit a carefully considered security model (like Java has) into VBA?
No - it’s not sensible. Scripting in Openoffice.org is more than just Basic. How about Python bindings, etc.? - Will you support digital signatures to help users decide whether to execute a particular document/program?
Openoffice.org already supports signing of macros and you can configure the application so that only signed macros are allowed to be executed. - How will you avoid importing VBA trojans and viruses to OO?
Macro signing, querying the user before executing, macros. Enterprise-wide lock-down to manage those settings easily.
Hey guys,
Here’s a thought… How about doing the Macro’s ala old school Word Perfect! No maybe its just me, but you could do damn near ANYTHING in theose EXCEPT screw around with the file system! You could not delete files, you could not call system functions, in short you were Sandboxed the old fashioned way, YOU COULD NOT GET TO THE OS!
Some might say, but I need to be able to make calls to the OS cause I need to do stuff! Bologna! If you are doing mail merges this that or the other, then you could open a document that WP could open and *nothing* more.
-FG
Comment by FlyingGuy — August 25, 2006 @ 1:06 pm
FG:
Your idea is solid enough, but I think I may not have been clear on why Novell is working on VBA support. Our goal is not to create a macro engine or language for OOo. It’s to provide better document compatability with Microsoft Office. We have found that many organizations need their Excel macros to work across all their desktop systems. Adoption of OpenOffice.org , and therefore desktop Linux, is hindered by this need. We’re working to fix that.
I hope to post a more complete view of our OOo work in the next few days.
–RT
Comment by Ted Haeger — August 25, 2006 @ 1:59 pm
[...] OpenOffice.org Security and VBA Macros [...]
Pingback by Available Now: OpenOffice.org Novell Edition for Windows « Open Source Advocacy with Reverend Ted — March 13, 2007 @ 1:00 pm