

you know OpenOffice, right? free substitute for Microsoft Office which is basically just as good, but free.

well, it’s not as good. and is in fact actively dangerous to use.

the security hole: HWP files can be exploited and pwn your PC. obscure minor format, no problem … except that if you get a HWP file with a .DOC extension - say, what appears to be a MS Word file emailed you by anyone - you can get pwned by that.

they’ve known about this since april 2015 and haven’t fixed it. they have distributed over 8 million known-vulnerable copies of AOO since 27 april. (and the 143 million vulnerable before that.)



the fix is, literally, remove one file from the installer. they haven’t got it together to do this in five months.

tell everyone you know. tell your writer friends. tell your family with that old copy. tell anyone you see running OpenOffice. get LibreOffice, it also originated in OpenOffice but is actually developed and they show the slightest sign of caring about their end users. LO 5.0 is really very nice. much faster to use than 4.4 too.

so what’s going on here:

Sun Microsystems (mild yay) ran OpenOffice from 2000 to 2010. it was imperfect, but it was good enough and free and open-source. it accumulated one heck of a famous brand name. (“we need an office program” “how about that openoffice thing”)



of a famous brand name. (“we need an office program” “how about that openoffice thing”) Oracle (boo hiss!) bought Sun in early 2010. OpenOffice development stopped as they reassigned developers.

a bunch of non-Sun/Oracle developers went “bugger this” and forked it (‘cos it was open source) in late 2010. thus, LibreOffice, which immediately became stupidly better.

Oracle had a snit and shoved the corpse of OpenOffice at the Apache Foundation in mid-2011 at the behest of IBM, who wanted to do it their way.

Apache OpenOffice had nothing worth the trouble, but got downloads because of the famous “OpenOffice” brand name.

IBM gave up in late 2013. since then, AOO has literally been several ex-Sun devs squatting the name and doing bugger-all with it. their reasons are unclear.



they insist they still have a product, even though what they’ve actually achieved has been to put over eight million downloads that they knew were vulnerable on people’s PCs. possibly your PC.

instead of fixing it, by removing one file from the installer, they post excuses for not doing stuff.

(if this sounds like a fascinating tale, feel free to check the extensively-cited history sections of the OpenOffice.org, LibreOffice and Apache OpenOffice articles on wikipedia, which i mostly researched and wrote.)



Apache OpenOffice’s lack of developers since IBM gave up is extensively documented. many have expressed concerns over the BLATANT SECURITY HOLE. in late august a Red Hat developer posted an open letter urging them to just give up the pretense and redirect the end users (that’s you) to LibreOffice. this had wide impact, and quite a pile of others concurred that they need to stop making life actively worse for the end users. the AOO people posted numerous comments making excuses … but they still distribute their known dangerous software and just won’t lift a finger to fix it.

tl;dr: get the hell off OpenOffice, get everyone you know the hell off OpenOffice. get LibreOffice, it is strictly superior in literally every dimension, and they actually give a damn about you the user and fix the security holes.

this text is CC-0 public domain. please spread far and wide.



update: finally, six months later, they’ve released AOO 4.1.2 with this particular hole fixed. there is no reason from their observed behaviour to assume the remaining “development” team can be trusted not to do this next hole, and next hole, and next hole. get LibreOffice.

