First OpenOffice Virus, Not In the Wild

NZheretic writes "According to APCmag, the first cross-platform OpenOffice.org virus — 'SB/Badbunny-A' — was emailed directly to Sophos from the virus developers. The proof-of-concept virus affects Windows, Mac OS X, and Linux systems and uses different methods on each. It has not yet been seen in the wild. Despite Sun's OpenOffice.org developer Malte Timmermann's claims to the contrary, this kind of embedded scripting attack represents a real threat to OpenOffice.org users. Back in June 2000 when Sun first announced the open sourcing of OpenOffice.org, the twelfth email to the open discussion list put forward a two-part solution for providing OpenOffice users with Safe(r) Scripting using restricted-mode execution by default and access by signed digital certificates. In October 2000 the issue of treating security as an 'add-on' feature rather than as a 'system property' was again raised. Is it time to now introduce such measures to the OpenOffice.org Core to greatly reduce any future risk from scripted infections?"

The real solution

[Rix]

Is to stop enabling scripting by default in software that has no real need of scripting. Hasn't even Microsoft learnt this by now?

Re:The real solution

[saibot834]

The real solution is to be careful wherever you can. Don't open email attachments of an unknown sender. Don't visit untrustworthy websites. Caution is still the best weapon against viruses.

Re:The real solution

[needacoolnickname]

What is an untrustworthy website?

Re:The real solution

[u-bend]

I dunno, doesn't call after the first date, doesn't stick up for you in a debate, cheats on you, and lies about it.

Re:The real solution - Replying to myself

[needacoolnickname]

I should have put a bit more thought into that.

I read this all the time. Don't go to untrustworthy websites.

What should one do? Should they run a whois on every site before going to it? Should they then run a background check on the site owner and the technical contact, if it's not bogus or private? What if it is? Then what does a person do?

People who go to warez sites or any movie/music download site they can find off a search engine deserve what befalls their computer - because one has to take risk f

Re:

[Anonymous Coward]

A untrustworthy website is a website that
- has content linked in (THAT would open a whole can of trust-this-trust-that now would it!)
- has bugs in web, app or db server.
- accepts malicious content including links to content
- you don't know if you can trust everyone with or who could get admin access to that server.

More or less. But it cant be that hard now can it, because I've heard of people making these decisions in realtime, while they surf.

Re:The real solution

[morgan_greywolf]

A untrustworthy website is a website that
- has content linked in (THAT would open a whole can of trust-this-trust-that now would it!)
- has bugs in web, app or db server.
- accepts malicious content including links to content
- you don't know if you can trust everyone with or who could get admin access to that server.

Hmmm...this sounds familiar.

I think you just described Slashdot.

-- a really old /. user who remembers ALL the bugs in slash and MySQL that plagued this site.

Re:

[roman_mir]

-- a really old /. user who remembers ALL the bugs in slash and MySQL that plagued this site. - said morgan_greywolf (835522)

Re:

[morgan_greywolf]

My other account, which I no longer use, is *5* digits, young-un.

Re:

[morgan_greywolf]

Correction -- low 5-digits.

Re:

[Teun]

My other account, which I no longer use, is *5* digits, young-un.
Correction -- low 5-digits.

So old you can't remember the password...
No not the account, I mean you ;)

Re:

[gbjbaanb]

... and my other car is a Porsche...

Re:

[roman_mir]

pffft, my other account is 2 digits, but that doesn't stop me from not complaining.

Re:

[fluffman86]

I really like McAfee SiteAdvisor [download.com] to help me decide. It's available as a Firefox extension and turns green if a site is not known to have any bad downloads or send unwanted emails. It's gray if unknown, and red if a site has malicious downloads or sends out a lot of emails. It's by no means an excuse for not using your brain FIRST, but it helps sometimes.

Re:

[spikedvodka]

but... see http://yro.slashdot.org/article.pl?sid=07/05/22/22 23236 [slashdot.org] Won't that send all of your browsing habits to McAfee?
(likewise with the new anti-phishing things in FF/IE7)

Re:

[Pollardito]

i don't know, but once we've gathered together a list i say we make an .untrustworthy TLD and force them all to switch-over to that

Re:

[LiquidCoooled]

Don't open email attachments of an unknown sender

Many people get viruses (appearing to come) from well known trusted sources, so this advice is wrong.

The correct thing to say is:

Don't open unsolicited attachments or files, ever .

If in doubt, speak to the sender and confirm its validity.

The real problem

[Anonymous Coward]

Scripting itself is a virus that spreads through programmers: once a programmer has seen scripting somewhere it doesn't belong, he feels a sudden urge to add scripting to the project he's working on.

Re:

[Normal Dan]

The trouble with this solution is customers want things to just work. They do not want to have to mess with security settings. If all scripting is disabled, people will get frustrated and blame the program instead of the file, then use a different program.

I have seen this happen with web pages and FireFox. People complain that FireFox does not work with several web pages, when in reality, those web pages (which are tailored for IE) do not work with FireFox.

etc.

Re:The real solution

[truthsearch]

Ever work in a financial company? Some live almost entirely off of their scripted Excel spreadsheets. There is a lot of value in allowing spreadsheets to support scripting. But it's the abilities of those scripting languages that's a real problem. Just like JavaScript needs to be limited in scope within a web browser, so too should the spreadsheet scripts. Unfortunately these office suite scripts are often used for things like disk access to import data.

Most people don't work in financial companies

[Rix]

Those that do can enable scripting. There's no reason to expose the vast majority who will never, ever, use that functionality to the risk. Which is why I said "disable by default" and not "rip it out and burn it".

You are correct that vulnerable functionality should be in a protected wrapper. However, this will simply reduce, not eliminate shenanigans. Clever monkeys will still find a way.

Not just finance companies - even departments

[jimicus]

In any company, there's a whole bunch of departments other than IT.

Those departments don't always fancy calling the IT department when they have an IT requirement - particularly if it doesn't seem that complicated. There is always someone in the department who knows their way around Excel (and possibly Access) better than any of their colleagues. So they cobble something together in some 'orrible mess of VB macros linking who knows what files, referential integrity or scalable design be damned.

Were you to audit any sizeable business for spreadsheets made somehow interactive with scripts and badly designed databases thrown together in Access, I guarantee you'd be amazed and disturbed in equal measure. And you really don't want to start trying to figure out which ones have somehow become critical to the business.

This has been going on for years. Try taking that functionality away today, you might as well suggest replacing their computers with slide rules.

Re:

[radarsat1]

Unfortunately these office suite scripts are often used for things like disk access to import data.

And that, of course, is almost directly related to the fact that the MS file formats are closed. With an open format like ODF, scripts for importing data aren't critical, since it's quite easy instead for a program to export it in the proper format, or to write an external script or program to transform data into ODF format. After all, it's XML.

Unfortunately MS has trained industry to rely on scripting to

Re:

[EvilSS]

since it's quite easy instead for a program to export it in the proper format

This is also the case with MS Office. Microsoft provides COM interfaces to the office products that can be used to generate documents. I do this all the time with Excel. It is actually very simple to use and well documented.

Re:

[Dog-Cow]

You are an idiot. An Excel script that manipulates data from external sources isn't going to wait around for you to manually fill in a bunch of worksheet tabs. It's going to do the import on its own and massage the data according to the needs of the end-user. You wouldn't write a perl script that asks you to input thousands of lines of data from the terminal, would you? I'd hope you'd expect it to read from any files as necessary.

Yes, I know that STDIN can be one of the files, but that only works if the

Re:

[ozmanjusri]

"An Excel script that manipulates data from external sources isn't going to wait around for you to manually fill in a bunch of worksheet tabs."

And there's the problem right there. CSV can't contain tabs, formatting data, formulas etc, etc.

ODF is an open text-based format that any program capable of outputting ascii can create, and which can contain that metadata. You
Reckon you coul write a Perl script to output;

<formula="oooc:=SUM([.A2:.A4])" office:value-type="float"

Re:

[ronanbear]

All or nothing script/macro access where your options are confined to on/off/ask are such an obvious problem I'm amazed that they're not taken more seriously.

I don't get why anyone (with the users interests at heart) would add office scripting functionality without adding some form of permissions. Maybe back in the days before networking it was practical because most files were created on the computer itself or came on a trusted disk.

It's not even an option to inspect macros on Office before opening the fil

Re:

[CastrTroy]

I never really understood the need for scripting in an office application myself. I certainly think it causes more problems then it solves. And not just in the security aspects. It seems to me that the only things that result from scripting is security holes, and tying the user to the word processor, ala, we can't use OpenOffice, because we've programmed our entire business into MS Word macros, making it impossible to switch. Also, when scripting is provided, it should be sandboxed to ensure that nothing

The real problem - legacy code.

[Shoeler]

OOo's problem IMHO is that it's an old program suite masquerading as new material. The backwards compatibility, which is necessary to its continued growth, is its albatross.

I am a developer, but the caveot is I don't know jack about the code and its current iteration. I could and may be way off base, but here goes anyway.

The only way you'll ever address it is to start. From scratch. Build the core of the program with security in mind. Converters have to pass through that core security layer. Add-ons n

Re:

[Serious Simon]

Not enabling scripting by default is *exactly* what is implemented in OpenOffice.org. The user has to explicitly allow macros to be executed before such a "virus" could do any damage or spread itself. So this "bad bunny" hardly poses any threat.

Re:

[Red Flayer]

As with alot of todays big worms, the best deffense is the mouse and keybord and the mind of the end user.

I'd contend that those are more often the worst defense. :)

Re:OO already does that.

[Macthorpe]

OO's default is to not run macros. The user get's a warning and has to say "yes" to the thing. This is the best that can be done and still be "compatible" with M$ Office.

Isn't this the exact same 'security feature' that you've been saying is so shit about Vista?

Re:

[Macthorpe]

Are you going to clarify that, because I was under the impression that offering the user a Yes/No choice when asking to run something risky was exactly what UAC is.

Re:

[Macthorpe]

Isn't that more of an indication that an operating system does far more than a Word clone?

Re:

[dedazo]

Oh, and by the way, have you ever heard of a malicious device driver?

Clearly you've missed the whole point of UAC. It's designed to let you carry out an action that requires administrative rights, while running under a non-admin account. Ever see that KDE or GNOME root prompt when you open an admin tool? Same thing. If you're installing a driver, it's assumed you are already an administrator and generally know what you're doing, so there's no need for a prompt. If you're running in 32-bits, you get a warn

Re:

[dedazo]

Your RSS reader is accessing something it really shouldn't. A lot of software does and will continue to think it has the go of the whole box. Unfortunately that will only change with time.

I can't think of a scenario where an app like an RSS reader would need admin-type access, so if possible I'd suggest you notify the creators and tell them it breaks in Vista.

What reader is this? Personally I use Google Reader so I'm not familiar with the desktop apps.

Re:

[dedazo]

I believe that the intent is to force the people who create the applications to clean up their act and release software that does not behave that way. If you ask me, they should have done this in the 9x->2K transition and we'd be all the better for it, but backwards compatibility simply didn't allow that.

Seriously, I suggest you drop that app, and send an email to the publisher detailing why you did it. I dropped three or four apps myself when I moved to Vista. Either I can live with the hassle because

Re:

[SEMW]

Installing applications? I don't need a warning when I'm installing an application. I know that I'm installing an application.

[...]

Oh, and by the way, have you ever heard of a malicious device driver?

How you never heard of a malicious program? Apparently not. Which is strange, because trust me, there are LOTS of them around in the Windows world. Yes, you know when you're installing an application -- that's the whole point! The prompt is asking you "Have you just double clicked on the installer of a program you wish to install, or have I just popped up seemingly for no reason whilst you were browsing dodgy websites?" If the former, then you click 'allow'; if the latter, you click 'cancel' and go to

Re:

[Quantam]

"Installing applications? I don't need a warning when I'm installing an application. I know that I'm installing an application."

Oh wow! A celebrity on Slashdot! Everyone say hello to Dilbert's boss!

"Oh, and by the way, have you ever heard of a malicious device driver?"

They're called rootkits, Jim. Maybe you've heard of them.

Somehow I have a feeling that the joke's gonna be on me: that this guy was just trying to see how dumb people would believe he is, and isn't really that stupid. At least that would prese

Re:

[Macthorpe]

I know that, and you know that. I'm here to make sure everyone else does :)

O RLY

[dedazo]

The user get's a warning and has to say "yes" to the thing

And this is different from "M$" Office in what way?

Re:

[dedazo]

The M$ default is to run it

No, the 'default' is to ask you what you want to do.

and the user is root

If you are running under an admin account, it's by choice. Office (and Windows) works perfectly well under non-admin accounts.

costs about $400

This is relevant because...?

I can go on with this if you like.

Sure. If you're going to admit you're wrong then by all means. If you're going to keep doing the "well M$ is teh worse" logic, then no.

Why don't you just admit you're wrong? Is that so painful?

The backdoor from hell

[packetmon]

So how long should we count down to until someone embeds the backdoor from hell [infiltrated.net] in not only Linux, but Solaris [security-protocols.com], then the BSD's... As an FYI... I've got a functional backdoor-worm for Free and Open ... Just makes no sense to even post it. Many don't even get what I mean when I state "there is a world of pain coming your way if you do that [infiltrated.net]" ... Mark the calendars, I give it about 9 months before something ala SOBig/Blaster hits the *nix scene...

Re:The backdoor from hell

[truthsearch]

I give it about 9 months before something ala SOBig/Blaster hits the *nix scene...

You just conceived it? Congratulations! Do you have a name picked out?

Re:The backdoor from hell

[ettlz]

You just conceived it? Congratulations! Do you have a name picked out?

The "backdoor from hell" already has a name: hello.jpg.

saving Grandma from Linux ..

[rs232]

How will Grandma do any damage if she don't have root access. Can you point me to a URL or email me a link that runs venomous from a mouse click.

Re:

[Anonymous Coward]

Thank god /usr/bin is read-only! Its sentimental value is irreplaceable. Grandma can, of course, get /home back off the install disks. Hey, wait.

Re:

[MobyDisk]

How is this related to this discussion? The post links to a shell script that must be run as administrator. Not something that can be embedded into an OpenOffice Javas plug-in running as non-admin.

Re:

[jimicus]

FWIW, I agree that Unix, like any desktop computer system, is only as secure as the user who's sat in front of it.

IMO, all these people saying "Unix can't suffer from viruses therefore it's secure!" are living in a fools paradise where they don't appear to have realised that the "executable file infector which spreads when the infected file is executed"-type virus is all but dead, and most things described as viruses today would be more accurately described as trojans.

I don't think anything much will change

Virus Name

[T-Bone-T]

How does one come up with a name like "SB/Badbunny-A"? Virus names never make sense to me.

Re:

[Anonymous Coward]

FTFA

"The worm attempts to download and display an indecent JPEG image of a man wearing a bunny suit performing a sexual act in woodland."

Re:

[chill]

SB = StarBasic, because it is written as a StarBasic macro.
-A = First variant. If someone modifies it to do something else, then you'll see -B, -C, etc.

  Charles

Re:

[chill]

Dunno, I've never paid attention to racehorse names.

Each AV company names things slightly differently, but the general method is:

TYPE/Common-VARIANT

Type can be "W32" or "TROJ" or "VB" or "SB", etc.

Common is a descriptive common name. In this case, the virus places a file called badbunny.js or badbunny.py and downloads a file called badbunny.jpg. Thus "badbunny" was chosen.

Variant is usually alphabetic, starting with A and going into double letters (AA, AB, etc.) if necessary.

How are racehorses named?

Re:

[nuzak]

How do they deal with single names like Secretariat or Seabiscuit? Or is this a more recent convention?

Documents shouldn't run code

[Anonymous Coward]

Documents shouldn't run scripts unless explicitly authorized to do so. That goes for word processors, spreadsheets, PDF readers, email clients and web browsers. The problem is that the world is full of dickheads who needlessly distribute documents that require executing script, so users end up clicking yes every time.

Imagine how few viruses and trojans there would be if requiring script was the exception rather than an unfortunate rule.

Oh well, we can all dream.

Re:

[DragonWriter]

Documents shouldn't run scripts unless explicitly authorized to do so.

Running scripts should not be a binary issue. Scripts should always run, by default, in an appropriate security sandbox, and only get additional privileges through explicit user interaction or through some kind of trust mechanism.

Programs that load scripts from external sources should not be gaping security holes, just because I trust a program doesn't mean that my only choices with a script should be trust it as much as I trust the prog

Re:

[codemachine]

Sounds a lot like Java. Therefore it will never fly.

There will always be a vendor like MS to make everything so much easier for us, without thinking about the consequences. It will happen on Linux too. Some would argue it already is (just compare most Linux distros to OpenBSD for example), just not nearly as bad as on the Windows platform.

Featuritis is an illness that is cross platform I'm afraid. Many small and efficient projects seem to be doomed to become bloatware, once they've become popular.

Re:

[DragonWriter]

Sounds a lot like Java. Therefore it will never fly.

There will always be a vendor like MS to make everything so much easier for us, without thinking about the consequences. It will happen on Linux too.

Really, in this particular case, its an application issue not an OS issue, and its already happened with regard to plenty of Linux apps that support scripting.

Having a fairly secure OS doesn't you limited good if applications that run with reasonably broad permissions, for good reason, themselves serve as pla

Re:

[DragonWriter]

The usefulness of a scripts is often directly proportional to the privileges granted. Javascript is hobbled for use in browsers yet it plays a key role in the majority of browser security problems [mozilla.org] and what do you do when a script manages to break out of it's sandbox? Chroot or BSD jails are one thing but the average user will gladly grant a script extended privileges just to shoot the monkey.

You can't protect against gullible users. Any attempt at security that makes that a goal is just misgui

Re:

[Just Some Guy]

Documents shouldn't run scripts unless explicitly authorized to do so. That goes for word processors, spreadsheets, PDF readers, email clients and web browsers.

....except, of course, that PDFs are Turing-complete scripts that tend to make pretty pictures.

Why not use another alternative?

[El Icaro]

I realize this is just my case, but I only need Linux and I use Koffice for my office needs. I lack enough technical knowledge to prove it but it seems faster and lighter than OpenOffice. Are there any other free (either type) office packages on Windows? How about Mac?

Finally feature compatible with Office

[RobertM1968]

:BEGIN HUMOR:
Well, finally OpenOffice has become a viable Office Suite, having finally added the most notable features of Office, namely script exploit capabilities. It's about time... now there is nothing keeping people from switching to OO!!!
:END HUMOR:

OpenOffice team: WHY?? Are you NUTS??

[KWTm]

My previous posts have heaped enough criticism on OOo, so I won't do that here, no matter how good it might feel to vent my frustration.

What I want to do is figure out why OpenOffice is such a steaming pile of crap. Why would someone want such a slow, bloated program? Who decided it would be a good idea to turn on scripting by default? When are they going to make a decent user interface?[1] Well, I think I've figured out a few places where OOo is not like other open source software. Perhaps we could le

Re:

[KWTm]

Yeah, I heard the AbiWord spreadsheet is particularly good.

Yes, I think so too. (Well, Gnumeric [gnome.org] isn't officially part of Abiword, but you know what I mean --the default spreadsheet application on the Ubuntu GNOME desktop.) I use it despite having a KDE desktop.

Re:

[RobertM1968]

Oooh... I wonder how that will work on Vista?

Vista: Open Office wants permission to generate a pop-up requesting approval to run a possibly malicious script... Cancel/Allow

...Allow

OO: OO needs permission to run a script... Cancel/Allow

...Allow

Vista: Open Office is trying to run a script... Cancel/Allow

...Allow

Vista: Steve Ballmer is about to throw a chair at you... Allow/Duck & Allow

So what's this virus going to do again???

[brunes69]

So I open this OO doc in Linux.... is it going to read my address book and email itself to other people? No, OO does not have access to my Thunderbird address book.

Is it going to infect other binaries in my system? No, they're only writeable by root.

Oh wait this is how it works:

"SB/BadBunny-A spreads by dropping malicious script files that affect the behavior of the popular IRC programs mIRC and X-Chat, causing them send SB/BadBunny-A to other users. These malicious script files are named badbunny.py (for XChat) and script.ini (for mIRC, overwriting the existing mIRC file) and are also detected as SB/BadBunny-A."

So.. this "virus" relies on some twisted assumption that I use XChat, to send itself to other people RUNNING XCHAT, NOT OPEN OFFICE?!?

So tell me again how this is a virus? If I email you a shell script named "Click me.sh" than runs "rm -Rf ~/", is that a virus too?

Re:

[Macthorpe]

If I email you a shell script named "Click me.sh" than runs "rm -Rf ~/", is that a virus too?

If you listened to some of the people here, you would begin to think so.

Re:

[140Mandak262Jamuna]

You fail miserably as a budding virus author. Even a script kiddie knows you should sudo before you take malicious action. bah!

Re:

[Macthorpe]

Curses! Foiled AGAIN!

Re:

[mcrbids]

is it going to read my address book and email itself to other people? No, OO does not have access to my Thunderbird address book.

Why not? Ostensibly, OO will run as user YOU, and YOU have access to your Tbird address book, and so would OO. Unless you're running SE Linux like a bat out of hell (most people don't) or have chroot or suid set up. Most *nix users however, don't have this kind of set up.

Re:

[brunes69]

My point is it's Linux, there is no way for the virii writer to deduce what program I am using to manage my addresses. It could be thunderbird, it could be KABC, etc etc. He will either have to write a ton of code to catch all those cases, or not bother. Oh an even if he does OO will not let him execute a program to send mail.

Re:

[BosstonesOwn]

whereis insert_mailapp_here?

because we all uninstall everything we don't use right? you fail to see that they can be written to use other apps, this just happens to use mirc or xchat.

never underestimate a determined thief.

Re:

[idontgno]

If your victim is running Debian or one of its children, there are always alternatives. [debian-adm...ration.org]

Re:

[garett_spencley]

If the virus were to target a specific distro, like Ubuntu, then it could make assumptions. It could even check for both Evolution and Thunderbird in the OO user's home DIR and use either or if present.

If the virus creator were especially vigilant then they could test for all sorts of installed applications with existing and exploitable/profitable data under ~/

Re:

[joe 155]

"Unless you're running SE Linux like a bat out of hell"

You say it like there is something wrong with running SE Linux or that it will make your experience of Linux worse. I run it and I've only ever had one problem which we managed to diagnose and file a bugzilla report which got it fixed within 4 days... not bad really. I can honestly recommend it for everyone.

I do see the problem though which you mention, namely that you can still do enough damage whilst running as user - especially because it cou

Re:

[mibus]

Does anything stop this from saving a new ~/.bashrc with "rm -rf ~/*" in it?

yet another bogus Linux 'virus' story ..

[rs232]

This worm [theregister.co.uk] or virus [apcmag.com] depending on who is saying it, requires Perl, XChat and write and executable access to be able to run. None of which applies to any self respecting Linux users computer. Yet another bogus Linux 'virus' article. Must be a slow day for real news.

"They are attacking the vulnerability of people's brains [guardian.co.uk] ", Graham Cluley, Sophos

Re:

[geekoid]

I don't know of any wide distro that doesn't have Perl or xchat.
Getting write and execute permissions is a concern. Because they wider the Linux audience, the more people will want to double click on an attachment to see the 'dancing ponies' or whatever.

Sad, but true.

Re:

[MrSenile]

Actually, xchat isn't on my Slackware distribution for what it's worth.

Not that I use ICQ/Other much anyway, as it tends to be a security hole.

And when I do use it, it's chrooted to a protected account anyway.

Feel free to infect my chrooted jail all you want. Really :)

That's the biggest issue that I think a lot of Linux advocates are saying is the big difference between Windows and Linux.

Both don't protect against absolute incompetence, but if you're going to be boned, get boned on Linux. Most people who

Re:

[MooseTick]

"any self respecting Linux user"

Have you ever taken a look at who you are talking about?

Why must Sun

[gillbates]

Copy even Microsoft's mistakes?

I mean, really. We've known about macro viruses for 20 years, and the danger of putting executable code in documents for about the same, and yet, in 2007, an open-source application, backed by a major UNIX vendor is released with this vulnerability?

Apparently many eyes do not make bugs shallow. I guess the community was asleep at the switch. Or maybe, something in the process is broken. Or maybe Sun just doesn't care.

Now, lest you think this a troll, consider: Security and virus immunity have been a big selling point for open source systems. Until now. Sun is a large player in the open source arena, and this makes everyone else - secure or not - look bad. Security was the major selling point for OO, and now that it's questionable, I'm not sure where Sun is going to go with this: they can't compete with Microsoft on features, OO is far from a universal standard (which means you're going to be plagued with interoperability issues), and OO's last major selling point is that it is free as in beer.

Re:

[geekoid]

Did you read what needs to happen to run this virus?

hello?

Re:

[secPM_MS]

Users are impressed by features. Reviewers are impressed by features. The review articles are filled with tables tabulating what product has what feature. So people acquire stuff that has vast numbers of features that they will never use. Features sell. Just look at consumer products.

More features = more attack surface = lower security.

Running downloaded (generally untrusted) code = rich extensibility = bad security. After all, the code writer is doing what they want, not necesarily what you want.

T

Re:

[guruevi]

To say it with Gates' words: it's not a vulnerability, it's a feature.

If you RTFA it's not a self-propagating virus that doesn't require interaction or stupidity by the user. But then again, the general populus is stupid and clicks yes for everything.

It's a 'script' that does something bad, not a virus. It's not even close to a macro 'virus'. You could call it a trojan by a far call.

Re:

[bkr1_2k]

Not to be thick, but since when has security been a selling point for OO? I've heard a lot of things about OO over the years, but not once have I heard, or spoken of security as a selling point. Have I (and all my friends) been out of the loop somehow?

Most people don't consider security when they're thinking of writing a document. They think about how they format their documents, how people will read their documents, and how much that will cost them. Other than that, I think most people don't give a dam

Re:Why must Sun

[Serious Simon]

...copy Microsoft's mistakes?

Well, they DIDN'T.

The default behaviour of OpenOffice.org with a document containing macros is that the user has to explicitly allow them to run.

Re:

[account_deleted]

Comment removed based on user account deletion

In the darkest nightmares of Linux geeks....

[jd]

....Just when you thought it safe to go back to the wordprocessor....

(Cue screen of XRoach for no obvious reason)

....from the darkest of nightmares comes a haunting tale of OpenOffice viruses.....

(Images from DOOM, for the oblig. explosions and gratuitous violence)

....an innocent who went too far....

(Typing on an XChat console, the first related scene so far but still stupid)

....amongst the ruins of a once-great empire....

(Scene shifts to Sun Microsystems and then to the OpenOffice group - vaguely related, sort of)

....and the darkest passions of a genius....

(Switch to any old virus research lab, nobody can tell them apart)

(Switch to a movie certificate for Open Virus, the Movie, rated C++)

Trust

[Carcass666]

Scripting is a very important part of Office productivity suites. This is not going to change. But what does have to change is the notion of "I'll just toss in a macro with my document/spreadsheet". In reality, macros can get so complex, especially with Microsoft Office's ability to set up references to COM libraries, anything but the simplest macros require careful distribution.

Documents and spreadsheets should not have macros. Ever. The Office vendors need to make it a lot easier to create macro files that are distributed differently than document files. If you have to send along macros to recalc/resort a spreadsheet or something, they should go in a different file. When you open the macro file, the Office app should state which macros that are being activated, and give you the option to use them temporarily or permanently, and by default do not allow them access to the file system unless you specify otherwise, etc. Enabling/disabling macros is not enough, there needs to be levels of trust.

Certificates are good things, especially if you are a company that uses macros a lot internally. But for an individual, getting a code signing certificate by a trusted authority is cost prohibitive and difficult. The Office macro engines simply need to do a better job of limiting the exposure to macro vulnerabilities and make it easier for Joe User to distribute macros in a "responsible" manner.

Re:

[inquisitor]

Some of this is done in MS Office 2007 - new-style Office documents with macros embedded are indicated with a .docm, .xlsm, .pptm type extension (as opposed to .docx, .xlsx, .pptx). What's more, Office refuses to open the document if it's renamed to the non-macro containing extension, giving a "file corrupted" error. Even then, Office is set to refuse to run all macros that aren't "trusted" by default, so it gives an information bar saying that macros are disabled and giving you a chance to enable depending

You CAN NOT have a "leaky" sandbox.

[argent]

The kind of "leaky sandbox" that we're seeing here was virtually unknown in the '80s and '90s. If a macro language had any kind of ability to work outside the codument layout itself, it was either restricted to applications where it was a moot point (if the preprocessor for your compiler could run scripts... so what, the code in between the preprocessor directives could do anything) or it was a mistake and the abaility was removed when it was discovered (as in the case of ghostscript).

In 1997 Microsoft introduced Active Desktp, which included a deliberately "leaky" sandbox... controls and scripts that were on pages considered "trusted" could get anything up to full local-user access. In addition, Microsoft responded to Word macro viruses NOT by restricting the scripting language in Word (as expected) but by putting in checks to disable the ability to even examine macros if a document seemed suspicious. And they still haven't learned their lesson.

What's worse, this practise is spreading. While nobody has extended this model nearly as far as Microsoft, Firefox XPI installation involves having a web page request installation of unrestricted macros, and Apple lets you run software installers automatically if the user has left "Open safe files after downloading" enabled.

This kind of thing HAS to stop.

If you design an "inherently safe" scripting language, on ethat does not provide any hooks from *within* the documentto even requests the ability to modify mor ethan the document itself, then any security holes are bugs and can be patched without inconveniencing users. More powerful tools should always be run or installed from outside the document, explicitly under user control, and preferably from a version of the application that doesn't include a mechanism to access remote documents and is not ever invoked from a browser or mail program... or any other application intended to work with untrusted documents.

This design, which used to be taken for granted (the idea of an email worm that could even potentially be run by just viewing an email message used to be a *joke*... everyone *knew* that nobody would be stupid enough to make the Good Times virus real) is not "clumsy" or "inconvenient". It's more convenient than the environment we're in now where applications are perpetually bringing up "Hey! I'm about to do someting stupid! You wanna let me?" dialogs that people reflexively swear at as they approve the stupid action.

We need to turn this around, folks. Bring back the sandbox, don't even include the commands to write files in the sandboxed versions of the macro interpreter, and stop turning the Internet into some kind of bad science fiction movie where the earthlings infect the alien computer from a Powerbook.

Re:

[argent]

"Inherently safe" scripting is the problem though.

It's not really a problem. We know how to design inherently safe languages. We also know how to design interfaces by which users can running scripts in unsafe languages without allowing untrusted objects to run these scripts.

Scripting is only useful because it allows you to automate things that you do repetitively.

That's a little simplified, but basically true, and also irrelevant. First, a lot of repetitive tasks are things like filling out standard forms

virusscanner bloat

[pe1chl]

was emailed directly to Sophos from the virus developers ... who dutyfully included it in their signature database, so it will be looked for in millions of computers even though it is not in the wild.

meanwhile, our computers get slower and slower. virusscanners eat up lots of resources and become ever slower. I recently noticed clamav takes 13 seconds to scan an infected .scr file of 16kb before deciding that it is safe (because it not yet had the signature).

wouldn't it be time that antivirus companies slim down the signature lists a bit. of course it is cute to boast a "number of signatures" above 100.000, but who is really getting benefit from the scanning of all those hypothetical viruses?

Well, they wanted Word functionality

[bl8n8r]

I guess you got it.

Signed scripts?

[xtracto]

using restricted-mode execution by default and access by signed digital certificates.

Yeah, similarly on how signed extensions would make firefox safer??

I have yet to se 1 (ONE) signed firefox extension...

Distributed Trusted Repository

[Doc Ruby]

The way to be safe(r) from scripts is to require OO.o to check the signature of any script against the sigs of all scripts in a distributed repository. All the scripts' sources are open. People can test them out, and report them to the repo's (distributed) security team. If OO.o doesn't find the sig of a script in the repo, OO.o can submit the script to the repo and warn the user their script is untested before executing it.

This kind of architecture is one way that Debian (and derivatives) is protected by A

Re:

[cyfer2000]

If "it is TECHNICALLY IMPOSSIBLE for a Mac, or Linux machine to malfunction in any way, from any cause", then what's wrong with your keyboard?

Re:

[The Master Control P]

It's not that... PEBKAC.

Re:

[Macthorpe]

I think it's satire.

I hope it's satire.

Is that in octadecimal?

[SEMW]

Microsoft says open source violates 235^H6 patents

"235^H6 patents"? Assuming that's in octadecimal, I make that approximately equal to... [does some quick back-of-the-envelope calculations]... 1.979*10^22830 patents.

Damn, that's a lot of patents.