Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: PSI not reporting OO.o 3.2.1 insecure

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
OpenOffice.org
And, this specific program:
OpenOffice.org 3.x

This thread has been marked as resolved.
tenzip PSI not reporting OO.o 3.2.1 insecure
Member 5th Aug, 2010 03:34
Ranking: 4
Posts: 4
User Since: 30th Jul, 2010
System Score: 78%
Location: US
Last edited on 5th Aug, 2010 03:34

I'm just wondering why my PSI 1.5.0.2 is not reporting my OpenOffice installation as insecure. I was just reading about the Impress vulnerabilities.

Link to page about the vulnerabilities: http://secunia.com/advisories/40775

I'm running W7 Ultimate x64. I've run a scan just minutes ago.

Post "RE: PSI not reporting OO.o 3.2.1 insecure" has been selected as an answer.
E.Jeppesen RE: PSI not reporting OO.o 3.2.1 insecure
Secunia Official 5th Aug, 2010 10:46
Score: 220
Posts: 618
User Since: 24th Nov 2008
System Score: N/A
Location: Copenhagen, DK
Except for the results shown in the Secure Browsing tab, the PSI will only inform you of vulnerabilities on your computer when you can actually do something about it. In other words, you will be notified to install the new and secure version of a program as soon as it is available from the vendor.
Since at the moment of writing there is no new and secure version of Open Office you can update to, the PSI is not yet informing you about the vulnerability.
Anthony Wells RE: PSI not reporting OO.o 3.2.1 insecure
Expert Contributor 5th Aug, 2010 10:51
Score: 2428
Posts: 3,316
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 5th Aug, 2010 10:54
Hello @tenzip ,

There is no solution/patch available (as I type) for the vulnerabilities in OOo 3.2.1 :-

http://secunia.com/advisories/40775/

so you cannot patch or update it ; in this case the PSI will continue to display your programme in the "patched" tab until a "security update/patch is available ; thus showing that you have done everything you can do .

Please note that a "workaround" is not considered a patch and is not recorded/displayed as applied by the PSI .

I hope this is clear , if not ask :))

Anthony

EDIT : Crossed post with E . J .

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
tenzip RE: PSI not reporting OO.o 3.2.1 insecure
Member 5th Aug, 2010 15:53
Score: 4
Posts: 4
User Since: 30th Jul 2010
System Score: 78%
Location: US
Thank you E.J. and A.W. That makes sense.

However, would it not be a good idea to put up some kind of warning flag next to the OO.o entry in PSI, so that users are aware of vulnerabilities that no patch exists for? An asterisk, so to speak, saying: "There are problems here, but no way to fix them at the present time. Here is what the vulnerabilities are, and what you can do to avoid problems."

In this case, avoiding opening suspect or untrusted presentations in Impress would be the way to avoid problems. It's not difficult to do, but knowing you need to do it is not, at this point, common knowledge. Obvious to people who have been around that block, certainly, but not to the common user.

on 5th Aug, 2010 10:46, E.Jeppesen wrote:
Except for the results shown in the Secure Browsing tab, the PSI will only inform you of vulnerabilities on your computer when you can actually do something about it. In other words, you will be notified to install the new and secure version of a program as soon as it is available from the vendor.
Since at the moment of writing there is no new and secure version of Open Office you can update to, the PSI is not yet informing you about the vulnerability.

Was this reply relevant?
+0
-0
Anthony Wells RE: PSI not reporting OO.o 3.2.1 insecure
Expert Contributor 5th Aug, 2010 17:30
Score: 2428
Posts: 3,316
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hello again tenzip ,

The basic idea from Secunia is to advise/get the "common" user updating a vulnerable in the first place ; this includes reducing stress on them when there isn't a vendor patch .

The "secure browsing" tab came in to tell you when/that a browser has an insecurity (programme or plug-in , etc .) ; there is a display bug in the test PSI version 1.9.0.2 when compared to the latest versions 1.5.0.1 and 1.5.0.2 . I was initially sceptical as to it's use , but am now convinced that it an essential reminder for using secure browsing techniques at all times .

However , when it is a separate programme like OOo with a "no solution" problem , as you suggest , then a link to a workaround and/or the Secunia Advisory and it's instructions would , for me , be of much greater use than the display of the "patched thread" column in the "patched" tab ; admittedly , I have never , since it's inception , found this column of any relevance - partly due to the terminology - and have often said so .

Perhaps , E.J. will pass your idea along for the developers to have a look at for the new version .

Take care

Anthony



--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
tenzip RE: PSI not reporting OO.o 3.2.1 insecure
Member 5th Aug, 2010 18:34
Score: 4
Posts: 4
User Since: 30th Jul 2010
System Score: 78%
Location: US
Just a little flag next to the program in the list, and a link to the advisory is all that would be needed. That way, people know there is a problem and what it is, even if no "official" action is possible. Being aware of a threat is most of the battle, IMO.

on 5th Aug, 2010 17:30, Anthony Wells wrote:
Hello again tenzip ,

The basic idea from Secunia is to advise/get the "common" user updating a vulnerable in the first place ; this includes reducing stress on them when there isn't a vendor patch .

The "secure browsing" tab came in to tell you when/that a browser has an insecurity (programme or plug-in , etc .) ; there is a display bug in the test PSI version 1.9.0.2 when compared to the latest versions 1.5.0.1 and 1.5.0.2 . I was initially sceptical as to it's use , but am now convinced that it an essential reminder for using secure browsing techniques at all times .

However , when it is a separate programme like OOo with a "no solution" problem , as you suggest , then a link to a workaround and/or the Secunia Advisory and it's instructions would , for me , be of much greater use than the display of the "patched thread" column in the "patched" tab ; admittedly , I have never , since it's inception , found this column of any relevance - partly due to the terminology - and have often said so .

Perhaps , E.J. will pass your idea along for the developers to have a look at for the new version .

Take care

Anthony

Was this reply relevant?
+2
-0
E.Jeppesen RE: PSI not reporting OO.o 3.2.1 insecure
Secunia Official 9th Aug, 2010 12:50
Score: 220
Posts: 618
User Since: 24th Nov 2008
System Score: N/A
Location: Copenhagen, DK
tenzip,
So far we have intentionally not included such a feature in the PSI, but it is something we could very well be considering for a coming version. Thank you very much for your suggestion.

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability