Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Security Software

Exploitable Buffer Overflow in OpenOffice.org 64

Posted by timothy
from the doc-should-lose-its-license dept.
Memorize writes "It turns out that OpenOffice.org can't read MS Office documents safely, either. A buffer overflow in OpenOffice.org has been confirmed and would allow an attacker to write a specially-constructed .doc file that will take control over an OpenOffice.org user's machine. This vulnerability is exploitable and it exists on every computer with OpenOffice 1.14 or 2.0b installed. OpenOffice.org will have a fix ready within days, but how quickly will Linux users patch? This paves the way for Linux users to be vulnerable to a virus that spreads by sending itself as email attachments which unsuspecting users then open. Could the first real Linux virus be drawing near?" Not from the sound of it: the article says that users would still have to be convinced "to open a malicious document with an unpatched application."
This discussion has been archived. No new comments can be posted.

Exploitable Buffer Overflow in OpenOffice.org

Comments Filter:
  • by ivan256 (17499) *
    Not from the sound of it: the article says that users would still have to be convinced "to open a malicious document with an unpatched application.

    While running openoffice as root...

    Not to mention that you don't need openoffice for this at all. If you can convince somebody to open a rogue document, you probably can convince them to run some application or script. Either way... Not root? Not a problem.
    • Either way... Not root? Not a problem

      If you don't value your personnal data, maybe... In a personnal system, the only really important thing for 99% of users is there home directory. (yes i pulled that number from my ass but you get the point ;)
      • yes i pulled that number from my ass

        I wouldn't worry about flouting numerical integrity - you're well within tolerance for the 78.26% of statistics that are made up on the spot.
    • Re:Virus? (Score:3, Insightful)

      by RdsArts (667685)
      Why would you need to be root to execute code?

      Ya, and if I can convince anyone to open a HTML file or look at a JPeG, the silly fool deserves what they get, right? It's a fucking DOC file. If you can get malicious code run from opening a non-executable file it is a big fucking problem.
      • Hmm... an unsolicited e-mail from a complete stranger containing an attatchment about making my penis larger?

        If they know that much about my penis, then surely they know what's good for my computer, too.

        Sounds safe to me!

      • Ya, and if I can convince anyone to open a HTML file or look at a JPeG, the silly fool deserves what they get, right? It's a fucking DOC file. If you can get malicious code run from opening a non-executable file it is a big fucking problem.

        I agree and I disagree. One, HTML files can contain javascript. By design such are on web pages and should be immune from malicious actions as the opener is most often not the original person. Two, JPG files are images. They do not contain any scripting/macro langua
    • Re:Virus? (Score:2, Insightful)

      by Nos. (179609)
      Its not hard to convince someone to open the document... .doc fly around in emails all the time, and often turn up in search results on google. It would be no harder to get them to open a rogue .doc then it would be to get them to open a .pdf
    • Re:Virus? (Score:5, Insightful)

      by ChiralSoftware (743411) <info@chiralsoftware.net> on Thursday April 14, 2005 @01:54PM (#12236906) Homepage
      That is not an accurate assessment. You don't need to be running OOo as root to get hit. Malware can do plenty of damage without needing root privileges. The biggest piece of damage such a virus could do is... look in the user's mailbox and send itself on to all the email addresses it finds, which just happens to be exactly what all these Outlook viruses do.

      The fact that Linux separates users from root won't prevent this hypothetical virus from acting just like a lot of Outlook viruses.

      Also, getting someone to open a script is quite different from getting someone to open an OOo document. Most mail readers will present one or more dialog boxes asking "are you sure you want to do this" before they run a script or application, and they will probably have you choose an application to use to open it, whereas most are configured to open up .doc documents without asking anything. It all comes down to MIME types. There is a MIME type that lets Kmail (etc) easily open MS Word documents but there is no MIME type that associates a shell script with the application "/bin/sh", for example. I'm sure some thought was given to security when putting together the MIME types, and no one assumed that OOo would be exploitable like this.

      As a side note, this really shows the value of XML-based document formats vs. weird proprietary binary formats (ie, MS Word). You can't exploit software that's based on XML because all such software uses off-the-shelf, open source XML parsers which have been so thoroughly tested, debugged, scrutinized and hammered on that the chances of an overflow are very very low. Also the format is saner and it's easier for a human to write code to parse it.

      • The biggest piece of damage such a virus could do is... look in the user's mailbox and send itself on to all the email addresses it finds

        I could think of worse things.. Like harvesting my IM passwords, which Gaim stores unencrypted because I'm lazy and checked 'save password'. Or sending itself to everyone on my buddy list. Or installing malicious plugins/extensions into my Firefox profile. Or proxying traffic for botnets or DDoS attacks. Or just sitting there silently waiting for me to type my root
      • There is a MIME type that lets Kmail (etc) easily open MS Word documents but there is no MIME type that associates a shell script with the application "/bin/sh", for example. I'm sure some thought was given to security when putting together the MIME types, and no one assumed that OOo would be exploitable like this.

        Besides application/x-sh [www.ltsw.se]you mean. I'm fairly certain 'security' wasn't a concern when developing MIME types. They're simply types that roughly describe a chunk of data. They're not the attachme
      • Malware can do plenty of damage without needing root privileges.

        It could even be posited that Malware can do MORE damage without root privledges. Malware that does big nasty drastic things to the host system is self-extinguishing. The nastier Malware is the kind that is more incidious and less easily detected.

        And, as people have said here repeatedly, it's what is in the user's home directory, i.e. the stuff s/he DOES have write access to, that is usually the most valuable data on the kind of system a
    • Re:Virus? (Score:5, Insightful)

      by bushidocoder (550265) on Thursday April 14, 2005 @01:59PM (#12236970) Homepage
      Either way... Not root? Not a problem.

      I get really sick of this kind of thinking. Whether I run as root or not, an exploit in a desktop application can affect anything in my user's space - it can delete all my files (or worse, slightly modify them all so I won't notice for a while). It can read and sniff all my email. It can install and run sniffer applications, so long as they run in my context. Given that most people do 99% of their work in their user context, it has the capacity to affect 99% of their work.

      Personally, between having my box turned into a zombie machine spamming the rest of the free world, and having someone intelligently attack my mailbox and web history and potentially discovering one or more of my accounts someplace, I'd take the zombie machine - that's alot easier to fix than someone cracking open my bank account.

      That's not to say that running as root is a good idea - its horrible. You can screw around with someone alot more with admin privledges on a box than you can without. All of the attacks capable running as a lesser user are still available (and easier most of the time) running as root plus a couple thousand more, and its much harder for normal users to determine that they have been penetrated when the attack is at an admin level. But an exploit at ANY level is dangerous, and pretending that's not the case is not helpful.

      • Obviously you are not running a machine with 100s of users. If you were you would know the difference, a single user that is exploited costs much less than a root exploit. The root exploit costs everyone, which can amount to millions of dollars in downtime. The local exploit costs one person, less time because you just restore from backups. (You do have backups, right?)

        Yes a local non-root exploit is bad. However it is nowhere near as serious as a root exploit.

    • My friends have this odd tendancy to send cute little powerpoint presentations to me. Some of them are rather neat (like one showing the stages in creation of an airport raised from the ocean). I tend to use OO to open them because it won't execute some of the nasty macroviruses etc that MS Office might... but it appears one still has to be wary.
    • "While running openoffice as root..."

      Yes. Because they can't do any damage running as a normal user.

      Except for running spyware and deleting all your files.
  • by aurum42 (712010) on Thursday April 14, 2005 @01:43PM (#12236732)
    Is OO running setuid root for some reason?
    • The virus could do just as much damage running as the regular user. It could become a spam zombie, ddos zombie, anything. You don't need to be root to run a server that binds to a port! You only need to be root to run one that binds to a port under the 1k boundary.

      So, they could:
      1) Set up a file sharing hub
      2) Setup a spam zombie
      3) Setup a ddos zombie
      4) Spread the virus further (using your address book)
      5) Phone home for an escalation exploit.

      The only thing they can't really do without root access is mod
  • WTF, an eweek article for non-technical people, no real security advisor about the flaw? Is the malign injectable code plataform-specific? Does it uses the OOo macro languaje (I doubt it since it needs a .doc format, but who knows), or calls 'real' functions from the host plataform?
  • by mokiejovis (540519) on Thursday April 14, 2005 @01:45PM (#12236770)
    Regardless of whether or not users would have to open a malicious document with an unpatched application, I think the story poster is reasonable when positing the opinion that Linux viruses may be on their way. Daily, Microsoft users open malicious documents in their email with unpatched applications.

    Certainly, not all Linux users are power users, and even then they may or may not be aware of whether or not their application needs to be patched, or could be duped into opening an email.
    • Regardless of whether or not users would have to open a malicious document with an unpatched application...

      For that matter, isn't that the very definition of a virus, as opposed to a worm?

    • Every time we see an article about some brand-new vulnerability in some open-source apps, we always hear the same chorus of "open-source is only more secure because it's less popular! Once it's as popular as Windows, you'll be in the same spyware-ridden mess!" and then we always hear the counter-chorus of "no, open-source software is designed from the ground up to be more secure, it'll never happen!". I've always agreed with the latter, but lately I've had second thoughts.

      For example, there was a privi

      • If "design[ing] from the ground up to be more secure" is actually a point of the open source movement it is a mistake. After a certain amount of complexity, people are sure to inadvertantly write buggy programs. There's nothing wrong with trying to design secure programs from the start, but inevitably bugs will be found. Therefore to promise secure design from the start is a lie.

        The free software movement, by contrast, avoids that lie because it offers a different message. The free software movement's


    • A possible software exploit that could possibly be exploited on a linux system (or windows ..)gets discoverd and it gets major air time and citizens running screaming in the streets...

      If someone finds a virus/worm/trojan on the windows platform that has definantly comprimised thousands of systems and all you get is a little alert to say please update your virus definitions

      This Should say more about linuxs reputation and record for security for security than anything.This will already be patched i imagine
  • by El (94934) on Thursday April 14, 2005 @01:46PM (#12236782)
    The OpenOffice developers MUST be copying Microsoft code!
  • by r_naked (150044) on Thursday April 14, 2005 @01:49PM (#12236843) Homepage
    Could the first real Linux virus be drawing near?" Not from the sound of it: the article says that users would still have to be convinced "to open a malicious document with an unpatched application." Hmmm, so, Linux is secure because its users are more intelligent than windows users? Or is it that Linux is such a pain in the ass to use as a desktop OS that you have no choice but to have a PHD in CS to use it and therefore would know not to open an unknown atachment. I just love the double standards. PS - I know quite a few people that use Linux as a desktop OS that would blindly open an attachment.
    • by 0x461FAB0BD7D2 (812236) on Thursday April 14, 2005 @01:57PM (#12236946) Journal
      Perhaps, more interestingly, Linux users would be more willing to open malicious documents convinced that viruses and worms are the sole domain of Windows.

      I would guess that generally speaking though, Linux users are a tad more tech-savvy than the Windows users, at least at this point. Not because of any bias, but simply because the majority of Linux users currently are the tech-oriented, as they are always amongst the first adopters of new technology.
      • Maybe. However most linux mailers default to not running programs (javascript in HTML, or just binaries) received via email. Most linux users are not running as root, which limits a virus somewhat. (particularly on a multi-user system)

        Most Microsoft Windows users have a mailer that runs programs by default. (though I understand this has gotten a lot better in the last few years) Most Microsoft Windows users are running as administrator, so anything that breaks in gets full power over the system with

        • This is true. However, as more people use Linux, or any Unix variant, we'll see more people running as root by default.

          I've seen seasoned Mac users who hate typing passwords for messing with protected files and folders, effectively putting them in the same class as Windows users who run as Administrator. Although they understand the security implications of this, they just wish it wasn't so annoying.

          Even though Linux applications generally tend to stay simple, and thus don't add features like running Java
    • Hmmm, so, Linux is secure because its users are more intelligent than windows users? Or is it that Linux is such a pain in the ass to use as a desktop OS that you have no choice but to have a PHD in CS to use it and therefore would know not to open an unknown atachment. I just love the double standards.

      But you don't need a PhD to understand the virus problem. A little common sense can tell you not to open every attachment you get.

      It's a lot like practicing safe sex: You don't need a PhD in virology to

    • Could the first real Linux virus be drawing near?

      Really viruses are beside the point have little to do with buffer overflows which are common vulnerabilities in regards to software development no matter what platform you are using.


      Hmmm, so, Linux is secure because its users are more intelligent than windows users?...


      No, the person who posted the article is missing the point. The security of Linux against viruses lies in user/group/ACLs applied to the filesystem to keep malicious programs from sprea
  • Then there would never be buffer overflow exploits.

    See http://developers.slashdot.org/article.pl?sid=05/0 3/28/2218246 [slashdot.org]
  • I think concerns about the vulnerability from this are overstated. Especially since 2.0 is in beta, so the official version will contain the fix.

    In which case, this is really a reason why there will be at least one less vulnerability.
    • I don't particularly have any concerns about vulnerability. In my experience, OpenOffice freezes the X session so frequently, you're not going to open any document you don't absolutely HAVE to open.

      My concern is primarily that so many Linux users have had a false sense of security instilled by the repetition of "Linux isn't vulnerable to virus infection". This makes them *more* vulnerable when a vulnerability pops up, and there's no way to be sure how MUCH more vulnerable. The human element is always the w
      • True, but the flip side is, many of us update our software much more frequently, and thus acquire protection.

        You're right about the human element, though.
  • So, what's the problem? Just don't open any .doc files as root for a few days.
  • by Dammital (220641) on Thursday April 14, 2005 @02:09PM (#12237086)
    The fix for Gentoo bug #88863 [gentoo.org] was marked stable for x86 yesterday. Sometimes there's some value in compiling your own.

    Yeah, I'm a fanboy.
  • And this just begs the question: What are these people doing, where such that they could allow such a blunder? Isn't this the kind of mistakes that coked-up... Oh. Wait. This is NOT a Microsoft product? Oh. SORRY!
  • All six people running OO sure are going to be in trouble!
  • Here is the patch (Score:3, Informative)

    by dolmen.fr (583400) on Thursday April 14, 2005 @02:21PM (#12237236) Homepage
    • In hex, my user id is a palindrome

      We should start The Cult of the Palindromic Slashbots or something.

      I'm 87F78, pleased to meet you 8E6E8. You can just call me 10000111111101111000 for short.
  • OpenOffice.org will have a fix ready within days, but how quickly will Linux users patch?

    However long it takes emerge to finish. Duh.
  • Yay for binary formats, they're so easy to perfectly parse. Oh wait...
  • by brunes69 (86786)

    This paves the way for Linux users to be vulnerable to a virus that spreads by sending itself as email attachments which unsuspecting users then open. Could the first real Linux virus be drawing near?

    No. Not unless you are for some ungodly reason running your OpenOffice as root and reading your email with it. The virus could not replicate to the operating system, so it's impact is minimal . Yes, it *could* delete the contents of your ~/. But you have that backed up, right? Right.

  • A lot of people have been arguing that Linux is safe from viruses because users don't run as root unless they need to.

    A virus, worm, or trojan would not need to run as root to be effective. You don't need root to save programs to my home directory and execute them, or to send email. You don't need root to read almost every file in the file system (on most default setups). You don't need root to listen on high ports.

    The real reasons why Linux has fewer viruses:

    Executable flag:
    If a file is saved to the dis

"In the face of entropy and nothingness, you kind of have to pretend it's not there if you want to keep writing good code." -- Karl Lehenbauer

Working...