Apache OpenOffice Security Team FAQ
- Is OpenOffice secure?
- How do I know my copy of OpenOffice is genuine?
- How do I protect my copy of OpenOffice against security issues?
- "The publisher of this software cannot be verified" - what should I do?
- How do I stop viruses attacking my copy of OpenOffice?
- How do I protect against macro-viruses in OpenOffice?
- I am a developer - how do I report a security vulnerability in OpenOffice?
- Where can I find a list of all the security vulnerabilities fixed in OpenOffice?
- How can I get email alerts about security vulnerabilities fixed in OpenOffice?
Is OpenOffice secure?
The OpenOffice engineers take the security of the software very seriously. We take great care to ensure that our software is secure, and we will react promptly to any reports of suspected security vulnerabilities in our software.
How do I know my copy of OpenOffice is genuine?
Make sure you know where your copy of OpenOffice has come from. Download from one of the sites listed in our download page, or purchase from one of our CD distributors. Use a checksum to make sure your copy has not been corrupted before you install it.
How do I protect my copy of OpenOffice against security issues?
We recommend all users install new versions of OpenOffice as soon as practical after they are released. Since version 2.1, OpenOffice has included a feature which will tell you if a new version is available. We recommend you switch this on (Tools -> Options -> Online Update -> Check for updates automatically).
"The publisher of this software cannot be verified" - what should I do?
When installing OpenOffice under Microsoft Windows, you may see a warning message stating that the publisher of the software could not be verified. It is safe to ignore this message if you are confident that your copy of OpenOffice came from a reputable source. If you have any doubts about this, you can check that the file has not been tampered with by using MD5 checksums.
How do I stop viruses attacking my copy of OpenOffice?
If your computer becomes infected with a virus, it is possible that any program you have installed – including OpenOffice - may become corrupted. Your computer cannot catch a virus from fresh air. It can become infected if someone gives you any kind of media – floppy disk, CD, DVD, memory stick, memory card etc. – anything capable of holding data can also hold a virus. It can become infected if it is connected to any kind of network, including wireless. Connections to publicly accessible networks like the internet are particularly risky.
There is a whole range of things you can do to protect your computer – firewalls, anti-virus software, etc – please contact your PC supplier or IT department for details. If you suspect your PC has been infected, please seek specialist support.
How do I protect against macro-viruses in OpenOffice?
Macros are a useful part of any office suite, allowing you to automate repetitive tasks. A macro can do anything you can do - including potentially destructive actions such as modifying and deleting files. A macro can attached to any OpenOffice file (document, spreadsheet, etc.).
Whenever OpenOffice detects macros in a document being opened, by default it displays a warning and will only run the macro if the you specifically agree.
The safest rule is you should never open any OpenOffice file unless you are sure where it has come from and trust the sender. Note that it is very easy to falsify an email address - if you have any doubt, do not open the document until you have proved its identity. If you need to exchange documents regularly, we recommend the use of digital signatures to certify the origin of the document.
I am a developer - how do I report a security vulnerability in OpenOffice?
Please report any suspected vulnerabilities to our Security Team. We appreciate early confidential disclosure to give vendors of products and solutions based on OpenOffice time to react. We will coordinate the disclosure of your report with you.
In your report, please include the following information:
- In which version of OpenOffice did you identify the problem (e.g. 3.3.0, 3.4.1, 4.0.0, etc.)?
- What is the impact of the problem (data loss, denial of service, executing commands, etc.)?
- How can the problem be reproduced?
- Is there an existing exploit?
- Has the problem already been published?
After we receive your report, we will work on the evaluation and we will reply to you (typically in the next business day).
Where can I find a list of all the security vulnerabilities fixed in OpenOffice?
These are listed in our Security Bulletin.
How can I get email alerts about security vulnerabilities fixed in OpenOffice?
Please read our Security Alerts page.