Journalists encounter electronic documents in a variety of formats in the course of their work. Spreadsheets documenting a politician’s expenses might show evidence of a lavish party taking place during a health lockdown. A PDF file might contain a proposal for a controversial military operation.
However, these documents could be digital traps, sprung by adversaries to gain access to a newsroom’s files. Any electronic document may contain malware targeting the software that’s used to open it. In the worst case, a powerful attacker may exploit a vulnerability for which there aren’t yet any security updates.
To address those risks, Dangerzone was initially developed by Micah Lee, a journalist, security engineer, and software developer. It is a cross-platform application for Mac, Windows, Linux, and Qubes OS to help anyone review electronic documents with significantly reduced risk. It does this by essentially creating a “virtual photocopy” of the document in a secure sandbox.
In 2022, Freedom of the Press Foundation (FPF) took on the continued development and improvement of Dangerzone in partnership with Lee. When it comes to security, we believe that journalists shouldn’t just have to take our word for it. That’s why, with support from the Open Technology Fund, we requested an independent security audit of the software.
In December 2023, Include Security completed an audit of the Dangerzone application and website, in a span of 12 days. This included exploratory use of the tool, manual code review, manual dynamic testing, software scans, an architecture review, a sandbox configuration review, and a review of our preliminary support for Qubes OS.
Include Security identified the following categories and numbers of findings: “Critical-Risk”: 0; “High-Risk”: 0; “Medium-Risk”: 0; and “Low-Risk”: 3. The Dangerzone team has already prioritized work on the low-risk and informational findings. Please find the full report, and our assessment of selected findings, below.
Our work on Dangerzone is far from over. With help from OTF, we are currently undertaking a review of Dangerzone’s user experience. We are also making continued architectural improvements to lay the groundwork for simpler installation, quicker updates, and new functionality. To stay up-to-date, follow Dangerzone on Mastodon.
Audit findings and next steps
We encourage users to read the security assessment of Dangerzone (FPF copy · Include Security copy), which documents the findings in great detail. As developers of Dangerzone, we would like to highlight findings L1, L2, and I7, and mention our course of action.
L1: [macOS] Opportunities for macOS Client Entitlements Hardening
For macOS, Include Security suggested that we can further harden the Dangerzone application, i.e., the graphical user interface that users see. Note that attackers cannot directly target the Dangerzone application, but it's still important to protect it, since it interacts with the files that have been produced in the untrusted conversion sandbox. The proposed way to harden the Dangerzone application is via stricter macOS entitlements, which we are actively working on.
Next steps: We are tackling this issue. For technical details and progress updates, see https://github.com/freedomofpress/dangerzone/issues/638
L2: [macOS] [Windows] [Linux] [QubesOS] LibreOffice Security Hardening Options
Dangerzone uses the LibreOffice suite internally for opening some document types. Include Security pointed out a new LibreOffice setting that disables potentially security-sensitive features en masse. Dangerzone already opens documents with macro execution disabled, but disabling other unnecessary features is a very welcome addition.
Next steps: We plan to enable this security setting in a future release. For technical details and updates, see https://github.com/freedomofpress/dangerzone/issues/379
I7: [macOS] [Windows] [Linux] [QubesOS] Out-of-Date Libraries in Use
Dangerzone is designed under the assumption that, sooner or later, attackers will gain access to the untrusted sandbox. This can be achieved via a specially crafted document that targets a vulnerability within the sandbox. That's why we harden this sandbox to ensure that even in that case, the malware stays contained.
However, our goal is to ensure that the sandbox has no known vulnerabilities by keeping it as up-to-date as possible. Our container image is continuously scanned against known CVEs, or common vulnerabilities and exposures, and we are committed to releasing a new Dangerzone version whenever a CVE critically impacts the security of the sandbox. The 0.5.1 release, which happened during the security audit and addressed the CVE findings, is an example of our policy in action.
Next steps: We plan to make container updates more frequent and noninteractive, so that users are protected in depth. For technical details and news, see https://github.com/freedomofpress/dangerzone/issues/698
Breakdown of all findings
The following table provides background or a relevant tracking issue for all audit findings.
| Finding in report | Issue or status |
|---|---|
| L1: [macOS] Opportunities for macOS Client Entitlements Hardening | https://github.com/freedomofpress/dangerzone/issues/638 |
| L2: [macOS] [Windows] [Linux] [QubesOS] LibreOffice Security Hardening Options | https://github.com/freedomofpress/dangerzone/issues/379 |
| L3: [Web] Deprecated TLS Ciphers Supported | Addressed during audit |
| I1: [macOS] [Windows] [Linux] [QubesOS] Nonessential Binaries Included in Container Images | https://github.com/freedomofpress/dangerzone/issues/691 |
| I2: [macOS] [Windows] [Linux] [QubesOS] Missing Password Protection Feature | https://github.com/freedomofpress/dangerzone/issues/692 |
| I3: [macOS] [Windows] [Linux] Missing Software Status Check of Docker and Docker Desktop | https://github.com/freedomofpress/dangerzone/issues/693 |
| I4: [CLI] dangerzone-cli Disclosed File Names to Shell History | https://github.com/freedomofpress/dangerzone/issues/694 |
| I5: [macOS] [Windows] [Linux] [QubesOS] Limited User Feedback for File Conversion Process | https://github.com/freedomofpress/dangerzone/issues/695 |
| I6: [macOS] [Windows] [Linux] [QubesOS] Possible Attack Vector via OCR Engine | https://github.com/freedomofpress/dangerzone/issues/696 |
| I7: [macOS] [Windows] [Linux] [QubesOS] Out-of-Date Libraries in Use | The particular issue was resolved in v0.5.1. The wider issue had to do with how to ship faster updates. Part of that is being able to ship container-only updates and potentially moving the pixels-to-PDF part to the host. |