as you can see here every single day – spammers attach password encrypted word.doc to a mail and try to infect systems to extract ransome.

This raises the question: How to handle this threat? Virus scanners are not enough anymore.

possibilities:

  • use a more secure / alternative product with less market share – in the hope of not being targeted
  • move all dangerous internet based services out of the corporate LAN and make it only available as remote desktop output (probably a MUST)

MS Office exploits found:

Vulnerability Trends Over Time

Year # of Vulnerabilities DoS Code Execution Overflow Memory Corruption Sql Injection XSS Directory Traversal Http Response Splitting Bypass something Gain Information Gain Privileges CSRF File Inclusion # of exploits
1999 3 1
2000 3 2 1
2001 1
2002 9 2 4 1 1
2003 1 1 1
2004 4 4 2
2005 2 1 2 2 1
2006 33 3 30 8 13 1 1
2007 27 4 23 8 11
2008 54 1 51 13 17 1 1 2
2009 35 34 16 16 1 1
2010 55 5 54 20 26 1
2011 30 12 28 17 14 2
2012 19 3 16 6 6 2
2013 17 3 13 8 5 3 1 1
2014 10 2 5 1 1 2 1 1
2015 40 6 37 19 23 1 1 1 1
2016 48 8 33 25 26 6 11 2
2017 39 4 27 16 9 9
2018 31 26 21 7 1 2
Total 461 54 390 185 175 2 13 31 11 2
% Of All 11.7 84.6 40.1 38.0 0.0 0.4 0.0 0.0 2.8 6.7 2.4 0.0 0.0

Warning : Vulnerabilities with publish dates before 1999 are not included in this table and chart. (Because there are not many of them and they make the page look bad; and they may not be actually published in those years.)

https://www.cvedetails.com/product/320/Microsoft-Office.html?vendor_id=26

LibreOffice

Vulnerability Trends Over Time

Year # of Vulnerabilities DoS Code Execution Overflow Memory Corruption Sql Injection XSS Directory Traversal Http Response Splitting Bypass something Gain Information Gain Privileges CSRF File Inclusion # of exploits
2011 2 1 1 2
2012 5 4 3 3 1
2014 3 2 2
2015 5 4 4 3 3 1
2016 3 2 1 2 2
2017 6 1 5
2018 1
Total 25 14 11 15 5 2
% Of All 56.0 44.0 60.0 20.0 0.0 0.0 0.0 0.0 0.0 8.0 0.0 0.0 0.0

Warning : Vulnerabilities with publish dates before 1999 are not included in this table and chart. (Because there are not many of them and they make the page look bad; and they may not be actually published in those years.)

https://www.cvedetails.com/product/21008/Libreoffice-Libreoffice.html?vendor_id=11439

https://www.exploit-db.com/exploits/44022/

this list might be far from being complete, but the general overview says: LibreOffice wins the security competition in 2018.

Yes this could be of the small market share – but who cares – i love it.

But also: to move all dangerous services and programs into a separated LAN that has no physical connection to the company LAN and access these services via remote desktop only. (just VNC, no file sharing)

LibreOffice is gaining users

i could not find good data – but according to aprox 100 million in 2016

Is LibreOffice Worthy of the Office Crown?

„OK, so maybe Microsoft’s Office 2016 for Windows is perfect for Windows 10 users, but for the rest of us, LibreOffice 5.1, the full-featured, open-source office suite, is a better choice“

https://www.zdnet.com/article/the-best-desktop-office-suite-libreoffice-gets-better/

LibreOffice in numbers:

2015: 1000 Developers

2012: IPs pinging for updates are around 150 million since 2012 (when we have started counting them)

LibreOffice: the numbers

also interesting: Berlin the headquarter of LibreOffice TDF? Nice 😉

sadly: Munich – after being pioneering linux – reverts back to MS Office – Bill Gates in return stays with Microsoft headquarters in Munich. (they build new office buildings in Schwabing)

„Munich City officials could waste €100m reversing a 15-year process that replaced proprietary software with open source following an official vote last year.

Munich officials in 2003 voted to migrate to an in-house custom version of Ubuntu Linux called LiMux and tailor digital docs to be compatible with LibreOffice. Now the councillors have decided that Munich will switch some 29,000 PCs to Windows 10 and phase out Linux by early 2023.“ (src)

admin