[plug] Duck and cover, new MS-Office vulnerability

[Ben New]

intra at slowest.net wrote:

>Although i am all for the OpenOffice way of life, don't you agree that
>Microsoft also has a lot more people looking for security holes then 
>on the OpenOffice front?
>
Theoretically: no.

The number of people, "m", inspecting Microsoft Office for security 
flaws is fixed by Microsoft.
The number of people, "o", inspecting OOo for security flaws is directly 
proportional to the number of people using it.
The number of socially retarded hackers, "r", looking for exploits 
(security flaws) in either product is also directly proportional to the 
number of people using that product.

Therefore, while the ratio "r:o" is relatively stable, the ratio "r:m" 
increases with the number of people using MS Office, unless they (M$) 
throw more of their own resources at it. (I can hear the mocking 
laughter already!)


And in reality: who knows?

Microsoft may claim that they have teams looking at security holes all 
the time. But who is to know that the "team" might be two 15 year old 
Pakistanis with a 386?
And conversely, while there might be 10,000,000 people registered as 
bug-reporting users of OOo, how many of them will actually take the time 
to do anything constructive relating to security problems and reporting 
thereof?


>Given some time and the popularity of OpenOffice we might be cursing 
>their software in the future and applying regular security fixes.
>
You could probably say the same for anything. All software has bugs and 
security flaws, it's the nature of the beast. At least with OS stuff, we 
at least have the opportunity to do something about it. With hidden 
source, we aren't even /allowed/ to look for bugs in M$ Office.


>Sorry to add some fuel to the flames
>
I've said it before, I'll say it again, please send flames to /dev/null. ;-)


Ben