OpenOffice.org Security Team FAQ
- Is OpenOffice.org secure?
- How do I know my copy of OpenOffice.org is genuine?
- How do I protect my copy of OpenOffice.org against security issues?
- "The publisher of this software cannot be verified" - what should I do?
- How do I stop viruses attacking my copy of OpenOffice.org?
- How do I protect against macro-viruses in OpenOffice.org?
- I am a developer - how do I report a security vulnerability in OpenOffice.org?
- Where can I find a list of all the security vulnerabilities fixed in OpenOffice.org?
- How can I get email alerts about security vulnerabilities fixed in OpenOffice.org?
Is OpenOffice.org secure?
The OpenOffice.org engineers take the security of the software very seriously. We take great care to ensure that our software is secure, and we will react promptly to any reports of suspected security vulnerabilities in our software.
How do I know my copy of OpenOffice.org is genuine?
Make sure you know where your copy of OpenOffice.org has come from. Download from one of the sites listed in our download page, or purchase from one of our CD distributors. Use a checksum to make sure your copy has not been corrupted before you install it.
How do I protect my copy of OpenOffice.org against security issues?
We recommend all users install new versions of OpenOffice.org as soon as practical after they are released. Since version 2.1, OpenOffice.org has included a feature which will tell you if a new version is available. We recommend you switch this on (Tools -> Options -> Online Update -> Check for updates automatically).
"The publisher of this software cannot be verified" - what should I do?
When installing OpenOffice.org under Microsoft Windows, you may see a warning message stating that the publisher of the software could not be verified. It is safe to ignore this message if you are confident that your copy of OpenOffice.org came from a reputable source. If you have any doubts about this, you can check that the file has not been tampered with by using MD5 checksums.
How do I stop viruses attacking my copy of OpenOffice.org?
If your computer becomes infected with a virus, it is possible that any program you have installed – including OpenOffice.org - may become corrupted. Your computer cannot catch a virus from fresh air. It can become infected if someone gives you any kind of media – floppy disk, CD, DVD, memory stick, memory card etc. – anything capable of holding data can also hold a virus. It can become infected if it is connected to any kind of network, including wireless. Connections to publicly accessible networks like the internet are particularly risky.
There is a whole range of things you can do to protect your computer – firewalls, anti-virus software, etc – please contact your PC supplier or IT department for details. If you suspect your PC has been infected, please seek specialist support.
How do I protect against macro-viruses in OpenOffice.org?
Macros are a useful part of any office suite, allowing you to automate repetitive tasks. A macro can do anything you can do - including potentially destructive actions such as modifying and deleting files. A macro can attached to any OpenOffice.org file (document, spreadsheet, etc.).
Whenever OpenOffice.org detects macros in a document being opened, by default it displays a warning and will only run the macro if the you specifically agree.
The safest rule is you should never open any OpenOffice.org file unless you are sure where it has come from and trust the sender. Note that it is very easy to falsify an email address - if you have any doubt, do not open the document until you have proved its identity. If you need to exchange documents regularly, we recommend the use of digital signatures to certify the origin of the document.
I am a developer - how do I report a security vulnerability in OpenOffice.org?
Please report any suspected vulnerabilities to our Security Team. We appreciate early confidential disclosure to give vendors of products and solutions based on OpenOffice.org time to react. We will coordinate the disclosure of your report with you.
In your report, please include the following information:
- In which version of OpenOffice.org did you identify the problem (e.g. 1.1.5, 2.0.2, etc.)?
- Do you have an official version of OpenOffice.org or e.g. a build from your GNU/Linux distribution (include the URL of the build if possible)?
- What is the impact of the problem (data loss, denial of service, executing commands, etc.)?
- How can the problem be reproduced?
- Is there an existing exploit?
- Has the problem already been published?
After we receive your report, we will work on the evaluation and we will reply to you (typically in the next business day).
Where can I find a list of all the security vulnerabilities fixed in OpenOffice.org?
These are listed in our Security Bulletin.
How can I get email alerts about security vulnerabilities fixed in OpenOffice.org?
Please read our Security Alerts page.