MS Office / LIbreOffice: Which one is more vulnerable?

All we know that Microsoft release security updates for MS Office every 1-2 months.
What about Libre Office?
LibereOffice it’s not updated so often as the MS Office.
Is LibreOffice more secure and needs fewer security updates?
Or due to the fewer security updates LibreOffice less secure than MS Office?

thank you

This question is very general. Can you please write down what is your main security concern?

First of all LibreOffice updates are in 1 month period. New version releases are two times a year. See release plan for details: https://wiki.documentfoundation.org/ReleasePlan In updates there are most of the fixes related to bugs that are not the security problems.


There is absolutely no rule if fixes are more regular then software is more/less secure. I always remember basic rule I was taught in school: Every program that has more then 10 lines of code absolutely has some bugs. Office programs are made of few hundred-thousands of line of code, so number of bugs…


When we are talking about security we must first provide the potential security risk? You didn’t provide more details, so I will try to answer the question in general manner.

1. Protect from unauthorized access to file. Encrypt your files and share the password with your friend/coworker in secure way (like telling the password in person). You can do this by File | “Save as” and check “Save with password” checkbox. Make sure you pick complicated password with at least 14 characters. Few of them must be non-characters like numbers, special characters like: !, $, %, @ etc. This kind of password is very difficult to brake. This way you can also send file by e-mail, just don’t write the password in mail. In this case I suggest to use LibreOffice 3.6 or newer, because of implemented strong encryption.
   
2. Someone from internet is trying to access my files? Implement firewall, antivirus. If extremely paranoid, then edit files offline and store them on USB key.
   
3. You would like to exchange files securely (paranoid). Use some SFTP server or FTPS or some other means like creating SSH tunnel and then transfer files inside the tunnel. (not really for non-computer-geeks)
   
4. You are trying to protect access to your local files by someone that has physical access to your computer? You need to install operating system by yourself (most secure) and make sure all of the operating system passwords are strong and well kept. You need to encrypt your hard disks. You need to make sure you don’t install too many programs on it, because each of the program can bring some vulnerability.(this is paranoid way and not really for non-computer-geeks)
   
   
   There are many other aspect of protecting your computer. In my humble opinion there is way way way more important to protect your computer and your files then really secure office program, because office programs can run off-line (no need for internet where most of the risk comes from).
   
   
   Also you need to understand your opponent. Are you total beginner in computer related tasks and you would like to fight computer-geek. You are probably doomed in the first place. Knowledge and resources are the only way to stay secure. If you are fighting against someone with a lot of time, money and knowledge, you have poor choices to beat him/her. This is probably off the topic…
   
   
   Beside security there are also aspects of privacy. Don’t know how much is this a problem to you. For example if you would like to be anonymous, prepare some office document and send it to the public internet, don’t forget that some personal info can be stored in office file itself. Check the Tools | Options | LibreOffice | User Data - if you filled in the Fist name, Last name, Street name, State, Country… this info is stored in your office files. If I remember correctly there is similar in MS-Office File | Properties.
   
   
   Some people say that open-source programs are more secure, because the program’s source code is visible and anyone can see the code and spot the flaws. But in my humble opinion if there are hundred-of-thousands of lines of code, I don’t think it is so very easy to spot a security problem. Most of the security problems are now-days figured out by special testing programs that made a lot of tests and looking for memory over-flow and many many many other things.
   
   
   There is also aspect of office format saving. Old MS-Office formats were binary formats that really only Microsoft knows how there are written, so few years ago there was a debate how many personal info (like IP address etc) is stored in this closed-format. So I would suggest to use open non binary office document format, less likely there is something too personal stored in it.
   
   
   In my humble opinion how do you protect your files in general is way way more important question then secure office program…
   
   
   Hard to write more details if some small amount of info was provided by you.
   
   

Good answer. One small point: “few hundred-thousands of line of code” should read “millions of lines of code” as LO currently has ~4m lines of C++ alone. MSO probably has tens of millions of LOC.

@ L-user, Many thanks for your prompt reply. As a former MS Office user, I’m a newbie in LO. I had no idea re the LO update plan. Thanks for the info/link. Re my concerns, all I want to know is just one thing: When needed, MS release critical patches for MS Office, i.e: http://technet.microsoft.com/en-us/security/bulletin/ms12-060

LO has a similar plan?

According to my knowledge there is no such things as security bulletin. In LibreOffice there are just one’s per months updates and you should just install them. But most of the security problems in office programs (MS-Office and LibreOffice) in my humble opinion have origin in poor security design of operating system.

I still use Windows XP and for many years I use DropMyRights program see details if interested: http://news.cnet.com/8301-13554_3-9758770-33.html This is a freeware program written by Microsoft employee. The main goal is to run anykind of program on low-as-possible security priorities. So running anykind of program (specially the ones accessing internet - web browser, e-mail program, office programs if opening strange documents with unknown user’s macros etc) in security restricted sandbox.

In this case anykind of security exploit in office program that would lead to unrestricted supper user privilege is eliminated in the first place - office program is started in security sandbox.

You didn’t specify what is your operating system name and version. Windows security has improved in never versions of windows (not running programs as administrator is a big deal), but what I dislike is that escalation can be easily win by providing a question to end-user, most of end users just accept security questions. So sandboxing is in my humble opinion better option, because if end-user accepts some security question, it can’t break out of sandbox.

Apart from the scheduled updates every 1-2 months, there is a list of applied security fixes.

The Document Foundation releases bugfixed versions of LibreOffice from stable branches in every 1-2 months - usually for six months from the date .0 release. These bugfixes may include security fixes, too. This is great, however, if people are concerned security and need faster turnaround or longer term support, they can buy support services from companies, such as Collabora. LibreOffice from Collabora (https://libreoffice-from-collabora.com) is supported for three years – with security, maintenance and bug fixes – from the date of release, much longer than the community release.