Wednesday, June 18, 2008

Security Notice: OpenOffice

OpenOffice, the free alternative to the Microsoft Office suite, has released a patch to close a security vulnerability that's being called "highly critical." This brings the latest version to 2.4.1. The vulnerability affects all versions of OO from 2.0 through 2.4. Details here. (Hat tip: Ryan Naraine.)

I downloaded and installed it. It went fine.

Some gripes, some of which I've noted before:

  • You can use Help → Check for Updates from within any OO program to get the new version. You have to be logged in as Administrator, however, even just to check for the update and to download it. I don't mind, much, having to log in as Administrator to install software, but I should at least be able to check for updates as a regular user. In fact, this a top priority for OO to address, and indeed, notification of the availability of security updates should be automatic, since smart computer users do not regularly work while logged in as Administrator.

  • Still no patch mechanism, which means the entire 127 MB installer has to be downloaded.

  • During the installation, OO launches your web browser to display some sort of "thank you" page. Later on in the installation, it pauses, saying it needs to make a change that requires you to close the browser. Later on still, it fires up the browser to display the same "thank you" page. I don't remember this happening before -- either one of the two different invocations of the browser or the "browser must be closed" hurdle smells like a bug in the installation program. Hard to believe this one got through testing. Could be a peculiarity of my system, conceivably, but it's hard for me to write it off that easily. My machine, I'd wager, is cleaner than most Windows boxes.

  • The installer unpacks files to a new folder during installation, but does not clean up after itself. Granted, the new folder is created, by default, on the Desktop, so it's easy enough to delete, but there is no reason why the standard installation procedure shouldn't delete this folder automatically at the end of the process. After all, there are several times during the looooooong installation process where the status window says something like "cleaning up" or "removing temporary files." Why not finish the job?

  • No matter what the previously installed version's settings were, OO insists on adding a "QuickLaunch" icon to the System Tray. This reflects yet another program that runs at start-up and never stops. Granted, it's probably a small program, and most people have more RAM than I do these days, but still. It should not do this without asking.

  • OO insists on adding a bunch of entries under the "New" entry in the Windows menu that you see when you right-click on the Desktop.

The bloat aspect -- no patch mechanism, meaning a complete download and install cycle is required just to close a security hole -- strikes me as lazy programming. So does the fact that there is no notification mechanism for updates available to non-Adminstrator accounts.

The last two gripes strike me as bad design -- I hate when programs insert themselves into all sorts of Windows nooks and crannies. It is not obvious to most regular users how to get rid of or disable these things; in fact, to clean up the "New" menu requires a separate utility. At minimum, both of these behaviors should be the sort of thing that the user is asked about upon installation of the program, and the default should be not to do them.

I like OO well enough for my limited word processing and spreadsheet needs, especially at the price, but I'm starting to like it less. Compare it to the new version of Firefox: Firefox's whole installer weighs in at 7 MB (about 5% the size of OO), I can install it and maintain it as a regular user, installation is polite and speedy and doesn't leave intermediate droppings behind, applying a security patch takes less than a minute from first being notified through the end of downloading, installing, and restarting, and so on. I get that a full office suite is more complex than a Web browser, but still, if Sun and OO.org don't get their act together on some of these things, they're going to lose yet another customer to the Borg Cloud.

No comments:

ShareThis