Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Exploitable Buffer Overflow in OpenOffice.org

timothy posted more than 9 years ago | from the doc-should-lose-its-license dept.

Security 64

Memorize writes "It turns out that OpenOffice.org can't read MS Office documents safely, either. A buffer overflow in OpenOffice.org has been confirmed and would allow an attacker to write a specially-constructed .doc file that will take control over an OpenOffice.org user's machine. This vulnerability is exploitable and it exists on every computer with OpenOffice 1.14 or 2.0b installed. OpenOffice.org will have a fix ready within days, but how quickly will Linux users patch? This paves the way for Linux users to be vulnerable to a virus that spreads by sending itself as email attachments which unsuspecting users then open. Could the first real Linux virus be drawing near?" Not from the sound of it: the article says that users would still have to be convinced "to open a malicious document with an unpatched application."

cancel ×

64 comments

Sorry! There are no comments related to the filter you selected.

Frist? (-1, Troll)

Anonymous Coward | more than 9 years ago | (#12236700)

Frist!

Virus? (1)

ivan256 (17499) | more than 9 years ago | (#12236728)

Not from the sound of it: the article says that users would still have to be convinced "to open a malicious document with an unpatched application.

While running openoffice as root...

Not to mention that you don't need openoffice for this at all. If you can convince somebody to open a rogue document, you probably can convince them to run some application or script. Either way... Not root? Not a problem.

Re:Virus? (1)

HawkingMattress (588824) | more than 9 years ago | (#12236847)

Either way... Not root? Not a problem

If you don't value your personnal data, maybe... In a personnal system, the only really important thing for 99% of users is there home directory. (yes i pulled that number from my ass but you get the point ;)

Re:Virus? (1)

Discoflamingo13 (90009) | more than 9 years ago | (#12238600)

yes i pulled that number from my ass

I wouldn't worry about flouting numerical integrity - you're well within tolerance for the 78.26% of statistics that are made up on the spot.

Re:Virus? (3, Insightful)

RdsArts (667685) | more than 9 years ago | (#12236850)

Why would you need to be root to execute code?

Ya, and if I can convince anyone to open a HTML file or look at a JPeG, the silly fool deserves what they get, right? It's a fucking DOC file. If you can get malicious code run from opening a non-executable file it is a big fucking problem.

Re:Virus? (1)

fade-in (839519) | more than 9 years ago | (#12240670)

Hmm... an unsolicited e-mail from a complete stranger containing an attatchment about making my penis larger?

If they know that much about my penis, then surely they know what's good for my computer, too.

Sounds safe to me!

Re:Virus? (1)

10101001 10101001 (732688) | more than 9 years ago | (#12241653)

Ya, and if I can convince anyone to open a HTML file or look at a JPeG, the silly fool deserves what they get, right? It's a fucking DOC file. If you can get malicious code run from opening a non-executable file it is a big fucking problem.

I agree and I disagree. One, HTML files can contain javascript. By design such are on web pages and should be immune from malicious actions as the opener is most often not the original person. Two, JPG files are images. They do not contain any scripting/macro language, and should not be able to commit malicious action being inert data. Three, doc files contain macros, and until doc files were being distributed everywhere, macros were chiefly used within an organization, paramount to "the original person" being the only one to see.

So, I'd say that doc files were a different category of file than the other two you mention. While most certainly there should have been various security considerations made for doc files, there originally was never any need since doc files were never designed to be given out to people (ironic considering how much Word was pushed for interoperability between businesses). With all the macro viruses that sprung up from this fact, doc files should have been dropped as a "safe" type, and a new format should have been created to be HTML like in its "view everywhere safely" requirement. Assuming any doc file is safe was, and still is, naive.

Having said all that, a buffer overflow is a very bad exploit and should be fixed. But seeing that one realizes that doc files are unsafe, one shouldn't actually open doc files they don't trust. So, that should mitigate the risk.

Re:Virus? (2, Insightful)

Nos. (179609) | more than 9 years ago | (#12236854)

Its not hard to convince someone to open the document... .doc fly around in emails all the time, and often turn up in search results on google. It would be no harder to get them to open a rogue .doc then it would be to get them to open a .pdf

Re:Virus? (5, Insightful)

ChiralSoftware (743411) | more than 9 years ago | (#12236906)

That is not an accurate assessment. You don't need to be running OOo as root to get hit. Malware can do plenty of damage without needing root privileges. The biggest piece of damage such a virus could do is... look in the user's mailbox and send itself on to all the email addresses it finds, which just happens to be exactly what all these Outlook viruses do.

The fact that Linux separates users from root won't prevent this hypothetical virus from acting just like a lot of Outlook viruses.

Also, getting someone to open a script is quite different from getting someone to open an OOo document. Most mail readers will present one or more dialog boxes asking "are you sure you want to do this" before they run a script or application, and they will probably have you choose an application to use to open it, whereas most are configured to open up .doc documents without asking anything. It all comes down to MIME types. There is a MIME type that lets Kmail (etc) easily open MS Word documents but there is no MIME type that associates a shell script with the application "/bin/sh", for example. I'm sure some thought was given to security when putting together the MIME types, and no one assumed that OOo would be exploitable like this.

As a side note, this really shows the value of XML-based document formats vs. weird proprietary binary formats (ie, MS Word). You can't exploit software that's based on XML because all such software uses off-the-shelf, open source XML parsers which have been so thoroughly tested, debugged, scrutinized and hammered on that the chances of an overflow are very very low. Also the format is saner and it's easier for a human to write code to parse it.

Re:Virus? (1)

Curtman (556920) | more than 9 years ago | (#12237185)

The biggest piece of damage such a virus could do is... look in the user's mailbox and send itself on to all the email addresses it finds

I could think of worse things.. Like harvesting my IM passwords, which Gaim stores unencrypted because I'm lazy and checked 'save password'. Or sending itself to everyone on my buddy list. Or installing malicious plugins/extensions into my Firefox profile. Or proxying traffic for botnets or DDoS attacks. Or just sitting there silently waiting for me to type my root password, and send it back home.

Re:Virus? (1)

Cecil (37810) | more than 9 years ago | (#12237544)

There is a MIME type that lets Kmail (etc) easily open MS Word documents but there is no MIME type that associates a shell script with the application "/bin/sh", for example. I'm sure some thought was given to security when putting together the MIME types, and no one assumed that OOo would be exploitable like this.

Besides application/x-sh [www.ltsw.se] you mean. I'm fairly certain 'security' wasn't a concern when developing MIME types. They're simply types that roughly describe a chunk of data. They're not the attachment-opening police. That's (rightly) left to the mail reader.

Re:Virus? (1)

SA Stevens (862201) | more than 9 years ago | (#12240085)

Malware can do plenty of damage without needing root privileges.

It could even be posited that Malware can do MORE damage without root privledges. Malware that does big nasty drastic things to the host system is self-extinguishing. The nastier Malware is the kind that is more incidious and less easily detected.

And, as people have said here repeatedly, it's what is in the user's home directory, i.e. the stuff s/he DOES have write access to, that is usually the most valuable data on the kind of system a 'regular user' sits at and uses.

Re:Virus? (5, Insightful)

bushidocoder (550265) | more than 9 years ago | (#12236970)

Either way... Not root? Not a problem.

I get really sick of this kind of thinking. Whether I run as root or not, an exploit in a desktop application can affect anything in my user's space - it can delete all my files (or worse, slightly modify them all so I won't notice for a while). It can read and sniff all my email. It can install and run sniffer applications, so long as they run in my context. Given that most people do 99% of their work in their user context, it has the capacity to affect 99% of their work.

Personally, between having my box turned into a zombie machine spamming the rest of the free world, and having someone intelligently attack my mailbox and web history and potentially discovering one or more of my accounts someplace, I'd take the zombie machine - that's alot easier to fix than someone cracking open my bank account.

That's not to say that running as root is a good idea - its horrible. You can screw around with someone alot more with admin privledges on a box than you can without. All of the attacks capable running as a lesser user are still available (and easier most of the time) running as root plus a couple thousand more, and its much harder for normal users to determine that they have been penetrated when the attack is at an admin level. But an exploit at ANY level is dangerous, and pretending that's not the case is not helpful.

Re:Virus? (1)

bluGill (862) | more than 9 years ago | (#12238659)

Obviously you are not running a machine with 100s of users. If you were you would know the difference, a single user that is exploited costs much less than a root exploit. The root exploit costs everyone, which can amount to millions of dollars in downtime. The local exploit costs one person, less time because you just restore from backups. (You do have backups, right?)

Yes a local non-root exploit is bad. However it is nowhere near as serious as a root exploit.

Re:Virus? (1)

SA Stevens (862201) | more than 9 years ago | (#12240102)

Obviously you are not running a machine with 100s of users.

I doubt if many machines that are being used as big timesharing systems also run OpenOffice.

Really, I doubt it very much.

Re:Virus? (1)

mikefe (98074) | more than 9 years ago | (#12242094)

Have you heard of LTSP [ltsp.org] ?

Or how about Windows 2000 Terminal Services? [microsoft.com]

Or maybe Citrix? [citrix.com]

Re:Virus? (1)

SA Stevens (862201) | more than 9 years ago | (#12251630)

Well, I've seen people in cubicles have Citrix forced on them.

Re:Virus? (1)

ArbitraryConstant (763964) | more than 9 years ago | (#12261280)

In the case of the systems running OpenOffice, I think it's a fair bet that most of them are single user systems running Windows or Linux, in which case a non-root exploit is most certainly a problem. Even on Linux, if the non-root user is in charge of the box, the attacker can probably get root pretty easily.

Actually (1)

phorm (591458) | more than 9 years ago | (#12249818)

My friends have this odd tendancy to send cute little powerpoint presentations to me. Some of them are rather neat (like one showing the stages in creation of an airport raised from the ocean). I tend to use OO to open them because it won't execute some of the nasty macroviruses etc that MS Office might... but it appears one still has to be wary.

Re:Virus? (1)

ArbitraryConstant (763964) | more than 9 years ago | (#12261255)

"While running openoffice as root..."

Yes. Because they can't do any damage running as a normal user.

Except for running spyware and deleting all your files.

"Take over the machine"? (2, Insightful)

aurum42 (712010) | more than 9 years ago | (#12236732)

Is OO running setuid root for some reason?

Re:"Take over the machine"? (0)

Anonymous Coward | more than 9 years ago | (#12236838)

Meh - they'll just exploit this week's kernel priviledge escalation vulnerability.

Re:"Take over the machine"? (1)

Jason Pollock (45537) | more than 9 years ago | (#12237695)

The virus could do just as much damage running as the regular user. It could become a spam zombie, ddos zombie, anything. You don't need to be root to run a server that binds to a port! You only need to be root to run one that binds to a port under the 1k boundary.

So, they could:
1) Set up a file sharing hub
2) Setup a spam zombie
3) Setup a ddos zombie
4) Spread the virus further (using your address book)
5) Phone home for an escalation exploit.

The only thing they can't really do without root access is modify the kernel to go completely stealth.

Once you've run some malicious code, the system is toast, you can't trust it anymore.

Jason

Re:"Take over the machine"? (0)

Anonymous Coward | more than 9 years ago | (#12237800)

No, the writeup is totally fucking clueless. Go read the OO mailing list if you are actually curious about this.

No real security advisor? (1)

PinkX (607183) | more than 9 years ago | (#12236760)

WTF, an eweek article for non-technical people, no real security advisor about the flaw? Is the malign injectable code plataform-specific? Does it uses the OOo macro languaje (I doubt it since it needs a .doc format, but who knows), or calls 'real' functions from the host plataform?

Re:No real security advisor? (1, Funny)

Anonymous Coward | more than 9 years ago | (#12237053)

If it attacks the spellchecker, you're safe. :)

And opening a malicious document is different how? (5, Insightful)

mokiejovis (540519) | more than 9 years ago | (#12236770)

Regardless of whether or not users would have to open a malicious document with an unpatched application, I think the story poster is reasonable when positing the opinion that Linux viruses may be on their way. Daily, Microsoft users open malicious documents in their email with unpatched applications.

Certainly, not all Linux users are power users, and even then they may or may not be aware of whether or not their application needs to be patched, or could be duped into opening an email.

Re:And opening a malicious document is different h (1)

Otter (3800) | more than 9 years ago | (#12236954)

Regardless of whether or not users would have to open a malicious document with an unpatched application...

For that matter, isn't that the very definition of a virus, as opposed to a worm?

Re:And opening a malicious document is different h (1)

SA Stevens (862201) | more than 9 years ago | (#12240118)

Actually, a virus is a bit of executable stub code that spreads by attaching itself to other executables.

Malware which erupts when the user 'opens a malicious document' is a trojan.

Re:And opening a malicious document is different h (1)

ssj_195 (827847) | more than 9 years ago | (#12237031)

Every time we see an article about some brand-new vulnerability in some open-source apps, we always hear the same chorus of "open-source is only more secure because it's less popular! Once it's as popular as Windows, you'll be in the same spyware-ridden mess!" and then we always hear the counter-chorus of "no, open-source software is designed from the ground up to be more secure, it'll never happen!". I've always agreed with the latter, but lately I've had second thoughts.

For example, there was a priviledge escalation vulnerability in pretty much all kernel versions around Christmas time. I was running Mandrake at the time, and counted how long it would take to get a fix. I think it finally appeared in the automated update section a month later in the form of a package of kernel source code - no installer, nothing. I tried compiling and installing it, but it failed to boot so catastrophically that I just gave up and switched distros (I'd been planning to ditch Mandrake for a while now). The point is, even with Windows with its "Click-Click and you're done!" security updates, few people bother to update. How are they going to respond when they have to re-compile their fucking kernel (presumably tracking down and copying across their old kernel first)? Answer: they're not, and so any exploit like the one in TFA will leave you rooted.

One area where Linux is perhaps a little more safe stems from the marked heterogenity of Linux environments - people are always whinging about how hard it is to install legitimate software (I've never really had a problem myself, for the record, and consider the LinuxWay superior to that of Windows, assuming a nice, up-to-date and complete repository) but the fact is that a keylogger can run with very few dependencies, and even then any libraries it needs can be compiled in, so we can scratch this one, too.

For all the accusations of FUD this article will receive, I can't help but worry about the future of Firefox & Linux et al. What would be nice is if people used "safer" languages like Python etc - heck, even using C++ with a template library that bounds-checked every access would be an improvement, and easily worth the minor performance hit. Thoughts?

Secure by design is never guaranteed. (1)

jbn-o (555068) | more than 9 years ago | (#12238536)

If "design[ing] from the ground up to be more secure" is actually a point of the open source movement it is a mistake. After a certain amount of complexity, people are sure to inadvertantly write buggy programs. There's nothing wrong with trying to design secure programs from the start, but inevitably bugs will be found. Therefore to promise secure design from the start is a lie.

The free software movement, by contrast, avoids that lie because it offers a different message. The free software movement's message says that free software is inherently better because people have the freedom to share and modify free programs. Thus when bugs are discovered they can be fixed and the fixed version can be shared with the community. Nowhere does the free software message hinge on secure design from the start, however secure-by-design may be another side effect of the freedoms of free software. It makes far more sense to admit that humans are fallible, regardless of intention, and will design insecure software as a result.

For more on the differences between the movements, please read the FSF's essay [gnu.org] .

Re:And opening a malicious document is different h (1)

FidelCatsro (861135) | more than 9 years ago | (#12237067)


A possible software exploit that could possibly be exploited on a linux system (or windows ..)gets discoverd and it gets major air time and citizens running screaming in the streets...

If someone finds a virus/worm/trojan on the windows platform that has definantly comprimised thousands of systems and all you get is a little alert to say please update your virus definitions

This Should say more about linuxs reputation and record for security for security than anything.This will already be patched i imagine (must check that and apt-get an update) and there are no known exploit sofar as linux virii being around the corner . they are already here but if we keep our systems up to date (most linux distros aimed at non power user will have an auto update feature (most aimed at power users do now too)) and the kernel carrys on getting updated and patched and secured we have nothing to worry about.

The people who do have to worry are the makers of distros for new non tech users who do not have the best record for out of the box security

Re:And opening a malicious document is different h (0)

Anonymous Coward | more than 9 years ago | (#12237115)

WTF? What, we should not open any documents at all now?

I mean, you don't expect what is essentially a text document to crack your machine. Imagine if someone could send you a PDF that did the same thing. Are we then not suppose to open any PDF documents any more?!

Re:And opening a malicious document is different h (1)

mokiejovis (540519) | more than 9 years ago | (#12237230)

Correct, I think you and I are making the same point. You don't expect "what is essentially a text document" to make your machine compromised in any way. Unfortunately, the sad truth is that those documents can, and in my opinion, will, someday.

Unfortunately, it is sometimes difficult to ascertain whether or not a document is legit or a forgery. Granted, for many readers that is a rare case, but others may view their mail in a much more haphazard fashion.

As more and more people start using Linux, more and more people are going to be running the risk of a malicious file executing code because they program or document doesn't do what they expect it to do. And as a poster before put it, that is exactly the definition of a virus.

FUD (1)

TRIEventHorizon (744457) | more than 9 years ago | (#12236777)

Could the first real Linux virus be drawing near?

more linux FUD

Well, this proves it! (4, Funny)

El (94934) | more than 9 years ago | (#12236782)

The OpenOffice developers MUST be copying Microsoft code!

Re:Well, this proves it! (1)

0x461FAB0BD7D2 (812236) | more than 9 years ago | (#12236875)

Linus is going to be so mad...

In any case, I think rather than proving the incapabilities of OpenOffice.org developers, it shows how far along their reverse engineering skills have come.

NO linux suser... (1)

bird603568 (808629) | more than 9 years ago | (#12236836)

would be dumb enough to open up a .doc file that they didn't expect or didn't know who it came from. Expecially after this.

A security hole by any other name... (4, Insightful)

r_naked (150044) | more than 9 years ago | (#12236843)

Could the first real Linux virus be drawing near?" Not from the sound of it: the article says that users would still have to be convinced "to open a malicious document with an unpatched application." Hmmm, so, Linux is secure because its users are more intelligent than windows users? Or is it that Linux is such a pain in the ass to use as a desktop OS that you have no choice but to have a PHD in CS to use it and therefore would know not to open an unknown atachment. I just love the double standards. PS - I know quite a few people that use Linux as a desktop OS that would blindly open an attachment.

Re:A security hole by any other name... (5, Interesting)

0x461FAB0BD7D2 (812236) | more than 9 years ago | (#12236946)

Perhaps, more interestingly, Linux users would be more willing to open malicious documents convinced that viruses and worms are the sole domain of Windows.

I would guess that generally speaking though, Linux users are a tad more tech-savvy than the Windows users, at least at this point. Not because of any bias, but simply because the majority of Linux users currently are the tech-oriented, as they are always amongst the first adopters of new technology.

Re:A security hole by any other name... (1)

bluGill (862) | more than 9 years ago | (#12238636)

Maybe. However most linux mailers default to not running programs (javascript in HTML, or just binaries) received via email. Most linux users are not running as root, which limits a virus somewhat. (particularly on a multi-user system)

Most Microsoft Windows users have a mailer that runs programs by default. (though I understand this has gotten a lot better in the last few years) Most Microsoft Windows users are running as administrator, so anything that breaks in gets full power over the system without extra effort.

There is a difference between a local exploit and a local root exploit. Most people running Microsoft Windows don't know this though because there is no difference when you are administrator. If root/administrator rights were not used in the exploit, you just restore the one user from backup and you are back to where you started. If there was a root exploit you need to rebuild the system, which on a multiuser system affects everyone.

Re:A security hole by any other name... (1)

0x461FAB0BD7D2 (812236) | more than 9 years ago | (#12238726)

This is true. However, as more people use Linux, or any Unix variant, we'll see more people running as root by default.

I've seen seasoned Mac users who hate typing passwords for messing with protected files and folders, effectively putting them in the same class as Windows users who run as Administrator. Although they understand the security implications of this, they just wish it wasn't so annoying.

Even though Linux applications generally tend to stay simple, and thus don't add features like running Javascript in emails or executing binaries, this just reduces the chance that an exploit could occur. Linux users must nevertheless be vigilant in ensuring the security of their boxes, just as Windows users must.

Re:A security hole by any other name... (1)

TeknoHog (164938) | more than 9 years ago | (#12237883)

Hmmm, so, Linux is secure because its users are more intelligent than windows users? Or is it that Linux is such a pain in the ass to use as a desktop OS that you have no choice but to have a PHD in CS to use it and therefore would know not to open an unknown atachment. I just love the double standards.

But you don't need a PhD to understand the virus problem. A little common sense can tell you not to open every attachment you get.

It's a lot like practicing safe sex: You don't need a PhD in virology to appreciate the dangers, and to be able to use a condom. I'm speaking from a theoretical point of view, of course ;)

Re:A security hole by any other name... (1)

atomic-penguin (100835) | more than 9 years ago | (#12237997)

Could the first real Linux virus be drawing near?

Really viruses are beside the point have little to do with buffer overflows which are common vulnerabilities in regards to software development no matter what platform you are using.


Hmmm, so, Linux is secure because its users are more intelligent than windows users?...


No, the person who posted the article is missing the point. The security of Linux against viruses lies in user/group/ACLs applied to the filesystem to keep malicious programs from spreading system wide. Not to say that someone could run OpenOffice.org as a privileged (root) user (Hey it might happen). The article mentions nothing about running privileged code. The bug report says that a possible buffer overflow MIGHT execute arbritary code. Don't get too bent out of shape this is a low risk bug and shows no indication of virus outbreak on Linux systems.

If only OO was completely written in JAVA (1)

kk49 (829669) | more than 9 years ago | (#12236973)

Then there would never be buffer overflow exploits.

See http://developers.slashdot.org/article.pl?sid=05/0 3/28/2218246 [slashdot.org]

That's right (0)

Anonymous Coward | more than 9 years ago | (#12237144)

There are no buffer exploits in Java apps because there are no buffers. At the worst an attacker could get the Java app to do something stupid but he can't trick it into executing code. Why we still write applications in non-safe languages like C and C++ mystifies me. Don't say, "because Java is slow" or "Swing sucks". Anyone who has experience with Netbeans will know that Java can be fast and you can do some amazing things in pure Swing.

Re:If only OO was completely written in JAVA (0)

Anonymous Coward | more than 9 years ago | (#12237834)

This wasn't a buffer overflow exploit you ninny.

Re:If only OO was completely written in JAVA (1)

kk49 (829669) | more than 9 years ago | (#12237980)

Are you a troll?
The title of this slashdot story is "Exploitable Buffer Overflow in OpenOffice.org". Of course I didn't read the article because this shit is boring.

This will be fixed before 2.0 official. (1)

Thag (8436) | more than 9 years ago | (#12236985)

I think concerns about the vulnerability from this are overstated. Especially since 2.0 is in beta, so the official version will contain the fix.

In which case, this is really a reason why there will be at least one less vulnerability.

Vulnerability? (1)

CDarklock (869868) | more than 9 years ago | (#12237727)

I don't particularly have any concerns about vulnerability. In my experience, OpenOffice freezes the X session so frequently, you're not going to open any document you don't absolutely HAVE to open.

My concern is primarily that so many Linux users have had a false sense of security instilled by the repetition of "Linux isn't vulnerable to virus infection". This makes them *more* vulnerable when a vulnerability pops up, and there's no way to be sure how MUCH more vulnerable. The human element is always the weakest link.

Re:Vulnerability? (1)

Thag (8436) | more than 9 years ago | (#12239318)

True, but the flip side is, many of us update our software much more frequently, and thus acquire protection.

You're right about the human element, though.

apt-get update ; apt-get upgrade (0)

Bob_Robertson (454888) | more than 9 years ago | (#12237000)

So, what's the problem? Just don't open any .doc files as root for a few days.

Already fixed in openoffice-ximian for Gentoo (2, Interesting)

Dammital (220641) | more than 9 years ago | (#12237086)

The fix for Gentoo bug #88863 [gentoo.org] was marked stable for x86 yesterday. Sometimes there's some value in compiling your own.

Yeah, I'm a fanboy.

Re:Already fixed in openoffice-ximian for Gentoo (2, Interesting)

Curtman (556920) | more than 9 years ago | (#12237435)

Sometimes there's some value in compiling your own.

... And sometimes there's no need. The openoffice-bin-1.1.4-r1 ebuild contains the fix as well, and won't take 6 hours to compile.

Yeah, I'm a fanboy too. :)

Redundent... (1)

Saeed al-Sahaf (665390) | more than 9 years ago | (#12237157)

And this just begs the question: What are these people doing, where such that they could allow such a blunder? Isn't this the kind of mistakes that coked-up... Oh. Wait. This is NOT a Microsoft product? Oh. SORRY!

oh noes! (1)

Karma Farmer (595141) | more than 9 years ago | (#12237207)

All six people running OO sure are going to be in trouble!

Here is the patch (2, Informative)

dolmen.fr (583400) | more than 9 years ago | (#12237236)

Re:Here is the patch (1)

Curtman (556920) | more than 9 years ago | (#12237531)

In hex, my user id is a palindrome

We should start The Cult of the Palindromic Slashbots or something.

I'm 87F78, pleased to meet you 8E6E8. You can just call me 10000111111101111000 for short.

How long? (2, Funny)

terriblecertainty (243713) | more than 9 years ago | (#12238346)

OpenOffice.org will have a fix ready within days, but how quickly will Linux users patch?

However long it takes emerge to finish. Duh.

Yay for binary formats! (1)

BillyBlaze (746775) | more than 9 years ago | (#12238506)

Yay for binary formats, they're so easy to perfectly parse. Oh wait...

No (1)

brunes69 (86786) | more than 9 years ago | (#12240161)

This paves the way for Linux users to be vulnerable to a virus that spreads by sending itself as email attachments which unsuspecting users then open. Could the first real Linux virus be drawing near?

No. Not unless you are for some ungodly reason running your OpenOffice as root and reading your email with it. The virus could not replicate to the operating system, so it's impact is minimal . Yes, it *could* delete the contents of your ~/. But you have that backed up, right? Right.

viruses and root (1)

dtfinch (661405) | more than 9 years ago | (#12240212)

A lot of people have been arguing that Linux is safe from viruses because users don't run as root unless they need to.

A virus, worm, or trojan would not need to run as root to be effective. You don't need root to save programs to my home directory and execute them, or to send email. You don't need root to read almost every file in the file system (on most default setups). You don't need root to listen on high ports.

The real reasons why Linux has fewer viruses:

Executable flag:
If a file is saved to the disk, and the user somehow attempts to execute it, it'll fail to run unless the program that saved it explicitly marked it as executable. Most email viruses depend on Windows' lack of this feature.

Containment:
Running as a limited user makes it a lot easier to contain and clean malware. Damage is mostly restricted to the user's home directory. Installed programs are generally unaffected. They can't install browser spyware. A malware infection won't get so bad that you have to reinstall the operating system.

User demographic:
Most Linux users know better than to get infected by a virus, on any operating system. My Windows PC's have always been virus-free. Plus, most Linux users prefer open source, making it very hard to bundle spyware and adware.

Learning curve:
On the other end of the spectrum, grandma will have a steep learning curve to figure out how to infect her Linux system with a virus if she ever gets one. Someone who has figured out the simple task of logging in as root, marking a file as executable, and running the file probably knows how to avoid malware, which is handy because such knowledge is likely to be a prerequisite to installing said malware. The easiest way to install software on Linux is from a trusted repository.

Malware writers:
Taking into account all of the above, and the market share of Linux among computer illiterates, Linux is not the best target for malware. If they had to choose between 2% of Windows users, or 0.01% of 1/10th as many Linux users, they'd choose to target Windows users.

Exploits are published every week, and occasionally a Linux virus is written and released, but very few Linux users in the world have ever seen a Linux virus, or know someone who has. Who wants to write a virus that'll infect just a few hundred systems at most, or market adware and spyware installing software to a demographic that prefers open source?

There already is a LinSux virus (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#12240956)

It's called zealotism. LinSux is a steaming pile of some of the shittiest code ever written, and it's only used by faggots and zealots with a sweaty, precarious grip on reality.

Simpson quote (1)

Math, The Ancient (209737) | more than 9 years ago | (#12241263)

Ha-ha-a!
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?