as you can see here every single day – spammers attach password encrypted word.doc to a mail and try to infect systems to extract ransome.
This raises the question: How to handle this threat? Virus scanners are not enough anymore.
possibilities:
- use a more secure / alternative product with less market share – in the hope of not being targeted
- move all dangerous internet based services out of the corporate LAN and make it only available as remote desktop output (probably a MUST)
MS Office exploits found:
Vulnerability Trends Over Time
Year | # of Vulnerabilities | DoS | Code Execution | Overflow | Memory Corruption | Sql Injection | XSS | Directory Traversal | Http Response Splitting | Bypass something | Gain Information | Gain Privileges | CSRF | File Inclusion | # of exploits |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1999 | 3 | 1 | |||||||||||||
2000 | 3 | 2 | 1 | ||||||||||||
2001 | 1 | ||||||||||||||
2002 | 9 | 2 | 4 | 1 | 1 | ||||||||||
2003 | 1 | 1 | 1 | ||||||||||||
2004 | 4 | 4 | 2 | ||||||||||||
2005 | 2 | 1 | 2 | 2 | 1 | ||||||||||
2006 | 33 | 3 | 30 | 8 | 13 | 1 | 1 | ||||||||
2007 | 27 | 4 | 23 | 8 | 11 | ||||||||||
2008 | 54 | 1 | 51 | 13 | 17 | 1 | 1 | 2 | |||||||
2009 | 35 | 34 | 16 | 16 | 1 | 1 | |||||||||
2010 | 55 | 5 | 54 | 20 | 26 | 1 | |||||||||
2011 | 30 | 12 | 28 | 17 | 14 | 2 | |||||||||
2012 | 19 | 3 | 16 | 6 | 6 | 2 | |||||||||
2013 | 17 | 3 | 13 | 8 | 5 | 3 | 1 | 1 | |||||||
2014 | 10 | 2 | 5 | 1 | 1 | 2 | 1 | 1 | |||||||
2015 | 40 | 6 | 37 | 19 | 23 | 1 | 1 | 1 | 1 | ||||||
2016 | 48 | 8 | 33 | 25 | 26 | 6 | 11 | 2 | |||||||
2017 | 39 | 4 | 27 | 16 | 9 | 9 | |||||||||
2018 | 31 | 26 | 21 | 7 | 1 | 2 | |||||||||
Total | 461 | 54 | 390 | 185 | 175 | 2 | 13 | 31 | 11 | 2 | |||||
% Of All | 11.7 | 84.6 | 40.1 | 38.0 | 0.0 | 0.4 | 0.0 | 0.0 | 2.8 | 6.7 | 2.4 | 0.0 | 0.0 |
Warning : Vulnerabilities with publish dates before 1999 are not included in this table and chart. (Because there are not many of them and they make the page look bad; and they may not be actually published in those years.)
https://www.cvedetails.com/product/320/Microsoft-Office.html?vendor_id=26
LibreOffice
Vulnerability Trends Over Time
Year | # of Vulnerabilities | DoS | Code Execution | Overflow | Memory Corruption | Sql Injection | XSS | Directory Traversal | Http Response Splitting | Bypass something | Gain Information | Gain Privileges | CSRF | File Inclusion | # of exploits |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2011 | 2 | 1 | 1 | 2 | |||||||||||
2012 | 5 | 4 | 3 | 3 | 1 | ||||||||||
2014 | 3 | 2 | 2 | ||||||||||||
2015 | 5 | 4 | 4 | 3 | 3 | 1 | |||||||||
2016 | 3 | 2 | 1 | 2 | 2 | ||||||||||
2017 | 6 | 1 | 5 | ||||||||||||
2018 | 1 | ||||||||||||||
Total | 25 | 14 | 11 | 15 | 5 | 2 | |||||||||
% Of All | 56.0 | 44.0 | 60.0 | 20.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 8.0 | 0.0 | 0.0 | 0.0 |
Warning : Vulnerabilities with publish dates before 1999 are not included in this table and chart. (Because there are not many of them and they make the page look bad; and they may not be actually published in those years.)
https://www.cvedetails.com/product/21008/Libreoffice-Libreoffice.html?vendor_id=11439
https://www.exploit-db.com/exploits/44022/
this list might be far from being complete, but the general overview says: LibreOffice wins the security competition in 2018.
Yes this could be of the small market share – but who cares – i love it.
But also: to move all dangerous services and programs into a separated LAN that has no physical connection to the company LAN and access these services via remote desktop only. (just VNC, no file sharing)
LibreOffice is gaining users
i could not find good data – but according to aprox 100 million in 2016
https://www.makeuseof.com/tag/libreoffice-worthy-office-crown/
“OK, so maybe Microsoft’s Office 2016 for Windows is perfect for Windows 10 users, but for the rest of us, LibreOffice 5.1, the full-featured, open-source office suite, is a better choice”
https://www.zdnet.com/article/the-best-desktop-office-suite-libreoffice-gets-better/
LibreOffice in numbers:
2015: 1000 Developers
2012: IPs pinging for updates are around 150 million since 2012 (when we have started counting them)
also interesting: Berlin the headquarter of LibreOffice TDF? Nice 😉
sadly: Munich – after being pioneering linux – reverts back to MS Office – Bill Gates in return stays with Microsoft headquarters in Munich. (they build new office buildings in Schwabing)
“Munich City officials could waste €100m reversing a 15-year process that replaced proprietary software with open source following an official vote last year.
Munich officials in 2003 voted to migrate to an in-house custom version of Ubuntu Linux called LiMux and tailor digital docs to be compatible with LibreOffice. Now the councillors have decided that Munich will switch some 29,000 PCs to Windows 10 and phase out Linux by early 2023.” (src)
liked this article?
- only together we can create a truly free world
- plz support dwaves to keep it up & running!
- (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
- really really hate advertisement
- contribute: whenever a solution was found, blog about it for others to find!
- talk about, recommend & link to this blog and articles
- thanks to all who contribute!