×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

First OpenOffice Virus, Not In the Wild

kdawson posted more than 6 years ago | from the raucous-laughter-in-Redmond dept.

Security 169

NZheretic writes "According to APCmag, the first cross-platform OpenOffice.org virus — 'SB/Badbunny-A' — was emailed directly to Sophos from the virus developers. The proof-of-concept virus affects Windows, Mac OS X, and Linux systems and uses different methods on each. It has not yet been seen in the wild. Despite Sun's OpenOffice.org developer Malte Timmermann's claims to the contrary, this kind of embedded scripting attack represents a real threat to OpenOffice.org users. Back in June 2000 when Sun first announced the open sourcing of OpenOffice.org, the twelfth email to the open discussion list put forward a two-part solution for providing OpenOffice users with Safe(r) Scripting using restricted-mode execution by default and access by signed digital certificates. In October 2000 the issue of treating security as an 'add-on' feature rather than as a 'system property' was again raised. Is it time to now introduce such measures to the OpenOffice.org Core to greatly reduce any future risk from scripted infections?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

169 comments

The real solution (4, Insightful)

Rix (54095) | more than 6 years ago | (#19224315)

Is to stop enabling scripting by default in software that has no real need of scripting. Hasn't even Microsoft learnt this by now?

Re:The real solution (4, Informative)

saibot834 (1061528) | more than 6 years ago | (#19224427)

The real solution is to be careful wherever you can. Don't open email attachments of an unknown sender. Don't visit untrustworthy websites. Caution is still the best weapon against viruses.

Re:The real solution (4, Insightful)

needacoolnickname (716083) | more than 6 years ago | (#19224523)

What is an untrustworthy website?

Re:The real solution (4, Funny)

u-bend (1095729) | more than 6 years ago | (#19224613)

I dunno, doesn't call after the first date, doesn't stick up for you in a debate, cheats on you, and lies about it.

Re:The real solution - Replying to myself (1)

needacoolnickname (716083) | more than 6 years ago | (#19224625)

I should have put a bit more thought into that.

I read this all the time. Don't go to untrustworthy websites.

What should one do? Should they run a whois on every site before going to it? Should they then run a background check on the site owner and the technical contact, if it's not bogus or private? What if it is? Then what does a person do?

People who go to warez sites or any movie/music download site they can find off a search engine deserve what befalls their computer - because one has to take risk for a reward. If they don't want to pay for something that is for sale or go through the effort to find it a wee bit less conspicuously then their computer be damned.

Past those people though, what info would you give grandma about going to a trustworthy web site when what she really wants is some nice wallpaper and screensavers?

In Russia ... (0)

Anonymous Coward | more than 6 years ago | (#19226041)

Pure ASCII text doesn't infect me!!!
It's impossible to infect me!!!

I'm writing and reading ...

ASCII text: YES.
M$ doc: NO, THANKS!.
Sun OO odf: NO, THANKS!.
HTML with/without JavaScript: NO, THANKS!.

Re:The real solution (2, Funny)

Anonymous Coward | more than 6 years ago | (#19224931)

A untrustworthy website is a website that
- has content linked in (THAT would open a whole can of trust-this-trust-that now would it!)
- has bugs in web, app or db server.
- accepts malicious content including links to content
- you don't know if you can trust everyone with or who could get admin access to that server.

More or less. But it cant be that hard now can it, because I've heard of people making these decisions in realtime, while they surf.

Re:The real solution (4, Funny)

morgan_greywolf (835522) | more than 6 years ago | (#19225149)

A untrustworthy website is a website that
- has content linked in (THAT would open a whole can of trust-this-trust-that now would it!)
- has bugs in web, app or db server.
- accepts malicious content including links to content
- you don't know if you can trust everyone with or who could get admin access to that server.


Hmmm...this sounds familiar.

I think you just described Slashdot.

-- a really old /. user who remembers ALL the bugs in slash and MySQL that plagued this site.

Re:The real solution (3, Insightful)

fluffman86 (1006119) | more than 6 years ago | (#19225697)

I really like McAfee SiteAdvisor [download.com] to help me decide. It's available as a Firefox extension and turns green if a site is not known to have any bad downloads or send unwanted emails. It's gray if unknown, and red if a site has malicious downloads or sends out a lot of emails. It's by no means an excuse for not using your brain FIRST, but it helps sometimes.

Re:The real solution (2, Insightful)

LiquidCoooled (634315) | more than 6 years ago | (#19224849)

Don't open email attachments of an unknown sender

Many people get viruses (appearing to come) from well known trusted sources, so this advice is wrong.

The correct thing to say is:

Don't open unsolicited attachments or files, ever .

If in doubt, speak to the sender and confirm its validity.

Re:The real solution (1)

edizzles (1029108) | more than 6 years ago | (#19224433)

Even tought its a proof of concept, it's still baking on some idiot DL'ing and running it in OO, As with alot of todays big worms, the best deffense is the mouse and keybord and the mind of the end user. And yes i argee active X as a conspet has all but failed.

Re:The real solution (1)

Red Flayer (890720) | more than 6 years ago | (#19224847)

As with alot of todays big worms, the best deffense is the mouse and keybord and the mind of the end user.
I'd contend that those are more often the worst defense. :)

Re:The real solution (0)

Anonymous Coward | more than 6 years ago | (#19226353)

"the best deffense is the mouse and keybord and the mind of the end user."

Of course you can't count on that, so it's time to try a different approach.

So, summarizing the article:

"Is it time to now introduce such measures to the OpenOffice.org Core to greatly reduce any future risk from scripted infections?"

Surely yes.

"Will it be done?"

Probably not.

"Will we see an explosion of OOo focused worms?"

Probably yes.

The real problem (5, Funny)

Anonymous Coward | more than 6 years ago | (#19224455)

Scripting itself is a virus that spreads through programmers: once a programmer has seen scripting somewhere it doesn't belong, he feels a sudden urge to add scripting to the project he's working on.

Re:The real solution (2, Interesting)

Normal Dan (1053064) | more than 6 years ago | (#19224477)

The trouble with this solution is customers want things to just work. They do not want to have to mess with security settings. If all scripting is disabled, people will get frustrated and blame the program instead of the file, then use a different program.

I have seen this happen with web pages and FireFox. People complain that FireFox does not work with several web pages, when in reality, those web pages (which are tailored for IE) do not work with FireFox.

etc.

Re:The real solution (4, Insightful)

truthsearch (249536) | more than 6 years ago | (#19224501)

Ever work in a financial company? Some live almost entirely off of their scripted Excel spreadsheets. There is a lot of value in allowing spreadsheets to support scripting. But it's the abilities of those scripting languages that's a real problem. Just like JavaScript needs to be limited in scope within a web browser, so too should the spreadsheet scripts. Unfortunately these office suite scripts are often used for things like disk access to import data.

Most people don't work in financial companies (2, Insightful)

Rix (54095) | more than 6 years ago | (#19224749)

Those that do can enable scripting. There's no reason to expose the vast majority who will never, ever, use that functionality to the risk. Which is why I said "disable by default" and not "rip it out and burn it".

You are correct that vulnerable functionality should be in a protected wrapper. However, this will simply reduce, not eliminate shenanigans. Clever monkeys will still find a way.

Re:The real solution (2, Insightful)

radarsat1 (786772) | more than 6 years ago | (#19224753)

Unfortunately these office suite scripts are often used for things like disk access to import data.


And that, of course, is almost directly related to the fact that the MS file formats are closed. With an open format like ODF, scripts for importing data aren't critical, since it's quite easy instead for a program to export it in the proper format, or to write an external script or program to transform data into ODF format. After all, it's XML.

Unfortunately MS has trained industry to rely on scripting to do basic things that should be done in other ways, just for the sake of not having to divulge file format details.

But in any case, I agree with the opinion expressed elsewhere in the comments that scripting isn't inherently bad, but it should be limited in ability by default. If a company needs unprotected scripting so badly, I don't see why their IT department can't just deploy it with the correct defaults.

Re:The real solution (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#19224921)

Almost all imported files into spreadsheets are CSVs, i.e. plain text.

Nitwit.

Re:The real solution (0, Flamebait)

radarsat1 (786772) | more than 6 years ago | (#19225137)

Well that doesn't require scripting, now does it? Dumbass.

Re:The real solution (1)

Dog-Cow (21281) | more than 6 years ago | (#19225331)

You are an idiot. An Excel script that manipulates data from external sources isn't going to wait around for you to manually fill in a bunch of worksheet tabs. It's going to do the import on its own and massage the data according to the needs of the end-user. You wouldn't write a perl script that asks you to input thousands of lines of data from the terminal, would you? I'd hope you'd expect it to read from any files as necessary.

Yes, I know that STDIN can be one of the files, but that only works if the script only reads one file.

Re:The real solution (0)

Anonymous Coward | more than 6 years ago | (#19225787)

Clearly, the solution is for scripts to be able to have named input and output channels in addition to stdin/err/out: myfrob <foofile.txt &frob2<barfile.txt &Lemur<goofile.txt >myout.txt &myfrobout2>lemuria.txt

(Right now, unix "only" supports numbered file descriptors, and because ones >2 (0=stdin,1=stdout,2=stderr) may be dynamically allocated or fulfilling system-specific special purposes, it's difficult to guarantee they're available and do what you think they do without knowing internals)

Then scripts are only passed open file descriptors (i.e. capabilities!!! Yay capabilities!!!), and they can therefore be forbidden from calling open().

Re:The real solution (1)

EvilSS (557649) | more than 6 years ago | (#19226173)

since it's quite easy instead for a program to export it in the proper format

This is also the case with MS Office. Microsoft provides COM interfaces to the office products that can be used to generate documents. I do this all the time with Excel. It is actually very simple to use and well documented.

Re:The real solution (1)

FKnight (521972) | more than 6 years ago | (#19226521)

Unfortunately these office suite scripts are often used for things like disk access to import data.
And that, of course, is almost directly related to the fact that the MS file formats are closed. With an open format like ODF, scripts for importing data aren't critical, since it's quite easy instead for a program to export it in the proper format, or to write an external script or program to transform data into ODF format. After all, it's XML.
---- So you're saying XML based ODF format files are not stored on disk, right?

Re:The real solution (1)

CastrTroy (595695) | more than 6 years ago | (#19224511)

I never really understood the need for scripting in an office application myself. I certainly think it causes more problems then it solves. And not just in the security aspects. It seems to me that the only things that result from scripting is security holes, and tying the user to the word processor, ala, we can't use OpenOffice, because we've programmed our entire business into MS Word macros, making it impossible to switch. Also, when scripting is provided, it should be sandboxed to ensure that nothing really bad happens. You don't need scripts that can open sockets in your word processor, or reading arbitrary files on the hard disk. Scripts should only have the ability to do things that the user would normally do with the application they are using.

The real problem - legacy code. (1)

Shoeler (180797) | more than 6 years ago | (#19224631)

OOo's problem IMHO is that it's an old program suite masquerading as new material. The backwards compatibility, which is necessary to its continued growth, is its albatross.

I am a developer, but the caveot is I don't know jack about the code and its current iteration. I could and may be way off base, but here goes anyway.

The only way you'll ever address it is to start. From scratch. Build the core of the program with security in mind. Converters have to pass through that core security layer. Add-ons need to pass through that layer. Even your own code has to.

Of course the manpower needs of this would be tremendous so it'd never happen.

But Google's doing something similar - they basically seem to have started from scratch and they pass all the apps through their backend, which presumably is superior to most work done on OOo or MS Office.

Re:The real solution (0)

Anonymous Coward | more than 6 years ago | (#19225023)

"Is to stop enabling scripting by default in software that has no real need of scripting. Hasn't even Microsoft learnt this by now?"

I agree; documents should not allow scripting; however, I have mix opinions about other applications IE: Excel. Creating 2 files; one for data and the other for scripting might be a partial solution. That would wind up being a pain to manage; however, how many office (ms / oo.o) users do use scripting? IMHO; not the average user; scripting is more of a power users trait.

PS: Please feel free to flame away. I guess there isn't an easy anwer.

Any thoughts?

OO already does that. (0, Troll)

twitter (104583) | more than 6 years ago | (#19225725)

Is to stop enabling scripting by default in software that has no real need of scripting. Hasn't even Microsoft learnt this by now?

OO's default is to not run macros. The user get's a warning and has to say "yes" to the thing. This is the best that can be done and still be "compatible" with M$ Office.

A much better solution is to simply use free software, where all of the functionality is provided by best of class applications rather than back of the envelope macro functions. There are programs to do just about everything now.

If you need to make scripts, Gnumeric is a good example. It can use perl scripts but they are not something that goes with the sheet itself. Debian and other distributions provide the best of them for histograms and other analysis. Users can write and distribute more, if they must, but it's not something that is going to spring out of email and eat your system. Neither will the OO scripts, but default.

Re:OO already does that. (4, Insightful)

Macthorpe (960048) | more than 6 years ago | (#19225783)

OO's default is to not run macros. The user get's a warning and has to say "yes" to the thing. This is the best that can be done and still be "compatible" with M$ Office.
Isn't this the exact same 'security feature' that you've been saying is so shit about Vista?

Re:OO already does that. (-1, Troll)

twitter (104583) | more than 6 years ago | (#19225855)

Isn't this the exact same 'security feature' that you've been saying is so shit about Vista?

No.

O RLY (1)

dedazo (737510) | more than 6 years ago | (#19226493)

The user get's a warning and has to say "yes" to the thing

And this is different from "M$" Office in what way?

Re:The real solution (1)

Tychon (771855) | more than 6 years ago | (#19226317)

While I agree with the notion of having it turned off by default, I'd just like to quip a little on how scripting has saved my inedible bacon numerous times.

Government writing often has numerous specs and requirements for document content and layout, requirements that cannot easily be met by standard features and interface in Word/Writer. Scripting provides a simple means of getting around this without actually trying to manually fudge characters or list elements in five to ten thousand page documents.

You may feel like doing this by hand, I do not.

Correct time.... (0)

Anonymous Coward | more than 6 years ago | (#19224347)

The correct time was at the beginning of the project, as it always is with security issues.

The backdoor from hell (4, Interesting)

packetmon (977047) | more than 6 years ago | (#19224411)

So how long should we count down to until someone embeds the backdoor from hell [infiltrated.net] in not only Linux, but Solaris [security-protocols.com], then the BSD's... As an FYI... I've got a functional backdoor-worm for Free and Open ... Just makes no sense to even post it. Many don't even get what I mean when I state "there is a world of pain coming your way if you do that [infiltrated.net]" ... Mark the calendars, I give it about 9 months before something ala SOBig/Blaster hits the *nix scene...

Re:The backdoor from hell (5, Funny)

truthsearch (249536) | more than 6 years ago | (#19224565)

I give it about 9 months before something ala SOBig/Blaster hits the *nix scene...

You just conceived it? Congratulations! Do you have a name picked out?

Re:The backdoor from hell (5, Funny)

ettlz (639203) | more than 6 years ago | (#19224653)

You just conceived it? Congratulations! Do you have a name picked out?

The "backdoor from hell" already has a name: hello.jpg.

Re:The backdoor from hell (0)

Anonymous Coward | more than 6 years ago | (#19224641)

That script needs to be run as root and any OS can be compromised once you're there.

Still, scumware makers are clearly going to target linux, making sure granny and vendors know that you don't have to be root to install a user app would be a definate plus.

saving Grandma from Linux .. (1)

rs232 (849320) | more than 6 years ago | (#19224677)

How will Grandma do any damage if she don't have root access. Can you point me to a URL or email me a link that runs venomous from a mouse click.

Re:saving Grandma from Linux .. (1, Insightful)

Anonymous Coward | more than 6 years ago | (#19224913)

Thank god /usr/bin is read-only! Its sentimental value is irreplaceable. Grandma can, of course, get /home back off the install disks. Hey, wait.

Re:saving Grandma from Linux .. (0)

Anonymous Coward | more than 6 years ago | (#19225251)

You could never trick granny into running the equivalent of

rm -rf ~/
on Windows. Good thing granny is smart and isn't running with admin privileges too. Oh, wait...

Re:saving Grandma from Linux .. (0)

Anonymous Coward | more than 6 years ago | (#19225369)

Don't you know that all grandma's have root access?

Re:saving Grandma from Linux .. (0, Troll)

toadlife (301863) | more than 6 years ago | (#19225869)

root is not required to turn Linux (or Windows or OSX) into a Spam/DDoS bot, so I think Grandma can do plenty of damage without it.

Re:The backdoor from hell (1)

MobyDisk (75490) | more than 6 years ago | (#19226665)

How is this related to this discussion? The post links to a shell script that must be run as administrator. Not something that can be embedded into an OpenOffice Javas plug-in running as non-admin.

Virus Name (3, Funny)

T-Bone-T (1048702) | more than 6 years ago | (#19224421)

How does one come up with a name like "SB/Badbunny-A"? Virus names never make sense to me.

Re:Virus Name (2, Informative)

Anonymous Coward | more than 6 years ago | (#19224597)

FTFA

"The worm attempts to download and display an indecent JPEG image of a man wearing a bunny suit performing a sexual act in woodland."

Re:Virus Name (1)

T-Bone-T (1048702) | more than 6 years ago | (#19225205)

So you cover Badbunny. What about the rest of the name?

Re:Virus Name (2, Informative)

chill (34294) | more than 6 years ago | (#19225407)

SB = StarBasic, because it is written as a StarBasic macro.
-A = First variant. If someone modifies it to do something else, then you'll see -B, -C, etc.

  Charles

Re:Virus Name (1)

TenBrothers (995309) | more than 6 years ago | (#19225729)

So what you're saying is, they just ripped off the naming convention of racehorses.

Re:Virus Name (1)

chill (34294) | more than 6 years ago | (#19225927)

Dunno, I've never paid attention to racehorse names.

Each AV company names things slightly differently, but the general method is:

TYPE/Common-VARIANT

Type can be "W32" or "TROJ" or "VB" or "SB", etc.

Common is a descriptive common name. In this case, the virus places a file called badbunny.js or badbunny.py and downloads a file called badbunny.jpg. Thus "badbunny" was chosen.

Variant is usually alphabetic, starting with A and going into double letters (AA, AB, etc.) if necessary.

How are racehorses named?

Re:Virus Name (1)

TenBrothers (995309) | more than 6 years ago | (#19226139)

Horses are generally named for their parents. Especially if one of them is world-famous. An example would be if you had (to just come up with random names) Seattle Slew and Delta Dawn as the sire and dam, the resulting horse would often be named something like Seattle Sunrise or Gamma Slew or...you get the picture. It's not 100%, especially if the sire and dam aren't particularly famous. But it's typical.

Documents shouldn't run code (4, Insightful)

Anonymous Coward | more than 6 years ago | (#19224423)

Documents shouldn't run scripts unless explicitly authorized to do so. That goes for word processors, spreadsheets, PDF readers, email clients and web browsers. The problem is that the world is full of dickheads who needlessly distribute documents that require executing script, so users end up clicking yes every time.

Imagine how few viruses and trojans there would be if requiring script was the exception rather than an unfortunate rule.

Oh well, we can all dream.

Re:Documents shouldn't run code (1)

DragonWriter (970822) | more than 6 years ago | (#19225333)

Documents shouldn't run scripts unless explicitly authorized to do so.


Running scripts should not be a binary issue. Scripts should always run, by default, in an appropriate security sandbox, and only get additional privileges through explicit user interaction or through some kind of trust mechanism.

Programs that load scripts from external sources should not be gaping security holes, just because I trust a program doesn't mean that my only choices with a script should be trust it as much as I trust the program running it or not trust it at all.

Re:Documents shouldn't run code (0)

Anonymous Coward | more than 6 years ago | (#19226003)

The usefulness of a scripts is often directly proportional to the privileges granted. Javascript is hobbled for use in browsers yet it plays a key role in the majority of browser security problems [mozilla.org] and what do you do when a script manages to break out of it's sandbox? Chroot or BSD jails are one thing but the average user will gladly grant a script extended privileges just to shoot the monkey.

We've heard this argument that sandboxing is the cure to scripting ills for years now, it isn't working. [google.com] I say it's time to stop behaving like an old woman [demon.co.uk] and tackle the problem directly ;-)

Re:Documents shouldn't run code (1)

Just Some Guy (3352) | more than 6 years ago | (#19226367)

Documents shouldn't run scripts unless explicitly authorized to do so. That goes for word processors, spreadsheets, PDF readers, email clients and web browsers.

....except, of course, that PDFs are Turing-complete scripts that tend to make pretty pictures.

Re:Documents shouldn't run code (0)

Anonymous Coward | more than 6 years ago | (#19226635)

PDFs are Turing-complete scripts


No, that would be postscript.


Postscript [wikipedia.org] != PDF [wikipedia.org]


Acrobat reader has an embedded javascript interpretor, also used in program installation and updates.

Haha (-1, Flamebait)

stratjakt (596332) | more than 6 years ago | (#19224437)

This is FUD pure and simple.

Affecting windows systems, I'll buy that. They are CRAPPY SHIT FROM A BUTT, AM I RITE GUYS?!?!?! LOL MICRO$OFT

But we all know that it is TECHNICALLY IMPOSSIBLE for a Mac, or Linux machine to malfunction in any way, from any cause.

So like, seriously. Quit it with the FUD COMMANDOR TACO. We all know your a PAID MICRO$OFT A$$$$TROTURFROFER!

Re:Haha (1)

cyfer2000 (548592) | more than 6 years ago | (#19224609)

If "it is TECHNICALLY IMPOSSIBLE for a Mac, or Linux machine to malfunction in any way, from any cause", then what's wrong with your keyboard?

Re:Haha (1)

kdemetter (965669) | more than 6 years ago | (#19225939)

The sadness of your post is that your attitude will increase the chance for insecurity . it's not secure just because it's linux/mac or whatever . it's secure because of the effort people put in it , because of their awareness to security . The funny thing about security is that a heavy breach in security usually leads to better security , while blindly believing that you are secure leads to some insecurity .

Why not use another alternative? (2, Interesting)

El Icaro (816679) | more than 6 years ago | (#19224451)

I realize this is just my case, but I only need Linux and I use Koffice for my office needs. I lack enough technical knowledge to prove it but it seems faster and lighter than OpenOffice. Are there any other free (either type) office packages on Windows? How about Mac?

Finally feature compatible with Office (4, Funny)

RobertM1968 (951074) | more than 6 years ago | (#19224467)

:BEGIN HUMOR:
Well, finally OpenOffice has become a viable Office Suite, having finally added the most notable features of Office, namely script exploit capabilities. It's about time... now there is nothing keeping people from switching to OO!!!
:END HUMOR:

Ding! (0, Troll)

twitter (104583) | more than 6 years ago | (#19225777)

You found 215 of Ballmer's 238 patents. Now, I'm afraid you will be executed by a chair flying squad.

Good thing OO's default behavior is to display a warning that won't run the macro when you push "OK".

Re:Ding! (2, Funny)

RobertM1968 (951074) | more than 6 years ago | (#19225969)

Oooh... I wonder how that will work on Vista?

Vista: Open Office wants permission to generate a pop-up requesting approval to run a possibly malicious script... Cancel/Allow

...Allow

OO: OO needs permission to run a script... Cancel/Allow

...Allow

Vista: Open Office is trying to run a script... Cancel/Allow

...Allow

Vista: Steve Ballmer is about to throw a chair at you... Allow/Duck & Allow

OpenOffice team: WHY?? Are you NUTS?? (1)

KWTm (808824) | more than 6 years ago | (#19226137)

My previous posts have heaped enough criticism on OOo, so I won't do that here, no matter how good it might feel to vent my frustration.

What I want to do is figure out why OpenOffice is such a steaming pile of crap. Why would someone want such a slow, bloated program? Who decided it would be a good idea to turn on scripting by default? When are they going to make a decent user interface?[1] Well, I think I've figured out a few places where OOo is not like other open source software. Perhaps we could learn some lessons from this.

OSS starts out by "scratching an itch", as the wisdom goes, but OOo did not start that way. It started with StarOffice, proprietary software acquired by Sun and then open sourced. A heartfelt thank you from me to Sun, but unfortunately, open-sourcing the software has not made it better. Instead, I suspect that little pieces here and there have been added to the StarOffice code, until the software became an incongruous quiltwork that did not run smoothly. I mean, Java for some things but not others? No way to insert current date as text? (Have they fixed that in recent versions, by the way?)

Or maybe that wasn't it; instead, perhaps it was the management that dictated the features. "My daughter says MS Word has SuperMacro ScriptEnhance-o-rama," said the manager, "and I told her, OpenOffice will have it, too!"

Or maybe it was (heaven forbid) an actual developer who decided that changing the font on the main text would not change the font within a table?

I mean, it's hard to imagine that they did any sort of usability testing at all. What it does feel like is that they were trying to keep up with Microsoft Office while forgetting about the spirit of OSS.

Can someone offer insight into what happened? Because I wouldn't want that to happen to any other OSS project. (Firefox, are you listening?) Ironically, although I fear that Firefox may be starting to suffer the same feature creep as OOo, I think the best thing for OOo to do now is to take a page from the history of Mozilla: scrap the code. Mozilla did it, and it took over a year, but when they finished, it was a masterpiece that everyone could be proud of.

So, start over. Stay focused. Otherwise, people will migrate over to AbiWord. You know what, better yet, maybe OOo can send some of their developers over to the AbiWord team, and maybe KWord, too.

Aaargh, the amount of wasted talent that goes into OOo.

-----
End notes: s/OpenOffice[^.]/OpenOffice.org/g --you know what I meant.

[1] "Decent user interface": they can start by not having multiple menu options share the same "underlined letter" shortcut.

So what's this virus going to do again??? (3, Informative)

brunes69 (86786) | more than 6 years ago | (#19224473)

So I open this OO doc in Linux.... is it going to read my address book and email itself to other people? No, OO does not have access to my Thunderbird address book.

Is it going to infect other binaries in my system? No, they're only writeable by root.

Oh wait this is how it works:

"SB/BadBunny-A spreads by dropping malicious script files that affect the behavior of the popular IRC programs mIRC and X-Chat, causing them send SB/BadBunny-A to other users. These malicious script files are named badbunny.py (for XChat) and script.ini (for mIRC, overwriting the existing mIRC file) and are also detected as SB/BadBunny-A."

So.. this "virus" relies on some twisted assumption that I use XChat, to send itself to other people RUNNING XCHAT, NOT OPEN OFFICE?!?

So tell me again how this is a virus? If I email you a shell script named "Click me.sh" than runs "rm -Rf ~/", is that a virus too?

Re:So what's this virus going to do again??? (1)

Macthorpe (960048) | more than 6 years ago | (#19224605)

If I email you a shell script named "Click me.sh" than runs "rm -Rf ~/", is that a virus too?
If you listened to some of the people here, you would begin to think so.

Re:So what's this virus going to do again??? (2, Informative)

mcrbids (148650) | more than 6 years ago | (#19224803)

is it going to read my address book and email itself to other people? No, OO does not have access to my Thunderbird address book.

Why not? Ostensibly, OO will run as user YOU, and YOU have access to your Tbird address book, and so would OO. Unless you're running SE Linux like a bat out of hell (most people don't) or have chroot or suid set up. Most *nix users however, don't have this kind of set up.

Re:So what's this virus going to do again??? (1)

brunes69 (86786) | more than 6 years ago | (#19224869)

My point is it's Linux, there is no way for the virii writer to deduce what program I am using to manage my addresses. It could be thunderbird, it could be KABC, etc etc. He will either have to write a ton of code to catch all those cases, or not bother. Oh an even if he does OO will not let him execute a program to send mail.

Re:So what's this virus going to do again??? (2, Insightful)

BosstonesOwn (794949) | more than 6 years ago | (#19224953)

whereis insert_mailapp_here?

because we all uninstall everything we don't use right? you fail to see that they can be written to use other apps, this just happens to use mirc or xchat.

never underestimate a determined thief.

Re:So what's this virus going to do again??? (0)

Anonymous Coward | more than 6 years ago | (#19225213)

No, OO does not have access to my Thunderbird address book.

and then

My point is it's Linux, there is no way for the virii writer to deduce what program I am using to manage my addresses

Are you sure you're not just making crap up?

even if he does OO will not let him execute a program to send mail.

The article was weak on details in terms of what's possible, it just explains what it does, not what it could do. But it sounds like it's capable of writing arbitrary files.

Drop nasty.pl in ~, add "perl ~/nasty.pl" in .bashrc. Sure, it's linux, maybe you don't even use bash. Maybe you don't have perl installed or in your path. But I think you're being rather cavalier in assuming linux is automagically going to protect you.

Re:So what's this virus going to do again??? (0)

Anonymous Coward | more than 6 years ago | (#19225593)

"..there is no way for the virii writer to deduce what program I am using to manage my addresses. It could be thunderbird, it could be KABC, etc etc. He will either have to write a ton of code to catch all those cases, or not bother."

You think too small. They only need to catch ONE case (preferably the most popular), and then once exposed to the masses there will be a stastical hit.

Re:So what's this virus going to do again??? (1)

garett_spencley (193892) | more than 6 years ago | (#19225713)

If the virus were to target a specific distro, like Ubuntu, then it could make assumptions. It could even check for both Evolution and Thunderbird in the OO user's home DIR and use either or if present.

If the virus creator were especially vigilant then they could test for all sorts of installed applications with existing and exploitable/profitable data under ~/

Re:So what's this virus going to do again??? (1)

Locklin (1074657) | more than 6 years ago | (#19226263)

It's not hard to write a script that greps all the text files in the user's home directory and parse out all the email addresses. It could then use it's own code to send off those emails, thus, no need to actually use or know about installed email programs.

Re:So what's this virus going to do again??? (1)

joe 155 (937621) | more than 6 years ago | (#19226077)

"Unless you're running SE Linux like a bat out of hell"

You say it like there is something wrong with running SE Linux or that it will make your experience of Linux worse. I run it and I've only ever had one problem which we managed to diagnose and file a bugzilla report which got it fixed within 4 days... not bad really. I can honestly recommend it for everyone.

I do see the problem though which you mention, namely that you can still do enough damage whilst running as user - especially because it could copy the /home/user/.thunderbird/signons.txt (or whatever its called) and the /home/user/.pidgin/accounts (or whatever...) and send those on, which would certainly cause a problem for most users...

This seems to be an issue which the community could do with dealing with

Re:So what's this virus going to do again??? (0)

Anonymous Coward | more than 6 years ago | (#19225427)

> If I email you a shell script named "Click me.sh" than runs "rm -Rf ~/", is that a virus too?

Actually no. In order to be run on Linux it would need have the execute attribute set, and it won't be. So 'clicking' it, at worst, will display the text or open it in an editor.

Re:So what's this virus going to do again??? (1, Informative)

Anonymous Coward | more than 6 years ago | (#19225557)

> So tell me again how this is a virus? If I email you a shell script named "Click me.sh" than runs "rm -Rf ~/", is that a virus too?

No, because it doesn't replicate itself without your assistance. SADBunny is capable of copying itself onto other systems without your knowledge, assuming the right conditions are met. This is what makes it a virus, and not just a simple piece of malware such as what you proposed.

yet another bogus Linux 'virus' story .. (3, Informative)

rs232 (849320) | more than 6 years ago | (#19224495)

This worm [theregister.co.uk] or virus [apcmag.com] depending on who is saying it, requires Perl, XChat and write and executable access to be able to run. None of which applies to any self respecting Linux users computer. Yet another bogus Linux 'virus' article. Must be a slow day for real news.

"They are attacking the vulnerability of people's brains [guardian.co.uk] ", Graham Cluley, Sophos

Re:yet another bogus Linux 'virus' story .. (2, Insightful)

geekoid (135745) | more than 6 years ago | (#19224581)

I don't know of any wide distro that doesn't have Perl or xchat.
Getting write and execute permissions is a concern. Because they wider the Linux audience, the more people will want to double click on an attachment to see the 'dancing ponies' or whatever.

Sad, but true.

Re:yet another bogus Linux 'virus' story .. (1)

MrSenile (759314) | more than 6 years ago | (#19224881)

Actually, xchat isn't on my Slackware distribution for what it's worth.

Not that I use ICQ/Other much anyway, as it tends to be a security hole.

And when I do use it, it's chrooted to a protected account anyway.

Feel free to infect my chrooted jail all you want. Really :)

That's the biggest issue that I think a lot of Linux advocates are saying is the big difference between Windows and Linux.

Both don't protect against absolute incompetence, but if you're going to be boned, get boned on Linux. Most people who get boned on Linux won't be boned as root and as such, other than loosing personal information won't have to go through the pain of a completely reformat and reinstallation.

Painful as hell, but not a total loss.

Re:yet another bogus Linux 'virus' story .. (1)

MooseTick (895855) | more than 6 years ago | (#19224743)

"any self respecting Linux user"

Have you ever taken a look at who you are talking about?

Sounds interesting but... (0)

Anonymous Coward | more than 6 years ago | (#19224527)

Proof of concept nice..

But come on a script? whats it gunna do delete some files? ..

I guess you cant take the silly human factor out of it .. since most great hacks use social engineering skills too. I suppose it is plausible to implement something that uses a local exploit ( perhaps ) to elevate privileges.

Why must Sun (3, Insightful)

gillbates (106458) | more than 6 years ago | (#19224545)

Copy even Microsoft's mistakes?

I mean, really. We've known about macro viruses for 20 years, and the danger of putting executable code in documents for about the same, and yet, in 2007, an open-source application, backed by a major UNIX vendor is released with this vulnerability?

Apparently many eyes do not make bugs shallow. I guess the community was asleep at the switch. Or maybe, something in the process is broken. Or maybe Sun just doesn't care.

Now, lest you think this a troll, consider: Security and virus immunity have been a big selling point for open source systems. Until now. Sun is a large player in the open source arena, and this makes everyone else - secure or not - look bad. Security was the major selling point for OO, and now that it's questionable, I'm not sure where Sun is going to go with this: they can't compete with Microsoft on features, OO is far from a universal standard (which means you're going to be plagued with interoperability issues), and OO's last major selling point is that it is free as in beer.

Re:Why must Sun (2)

secPM_MS (1081961) | more than 6 years ago | (#19224845)

Users are impressed by features. Reviewers are impressed by features. The review articles are filled with tables tabulating what product has what feature. So people acquire stuff that has vast numbers of features that they will never use. Features sell. Just look at consumer products.

More features = more attack surface = lower security.

Running downloaded (generally untrusted) code = rich extensibility = bad security. After all, the code writer is doing what they want, not necesarily what you want.

The default document format for Office 12 is docx, which does not support macro functionality. Despite its addiction to rich functionality (remember, customers want it), Microsoft has gotten better over the past few years. If OO / Firefox / ... is going to play the feature addition race with MS, they are going to dive headfirst into the same mud lake Microsoft went into first and we can expect that it will take them some time to figure out how the manage the associated issues.

Re:Why must Sun (1)

guruevi (827432) | more than 6 years ago | (#19224949)

To say it with Gates' words: it's not a vulnerability, it's a feature.

If you RTFA it's not a self-propagating virus that doesn't require interaction or stupidity by the user. But then again, the general populus is stupid and clicks yes for everything.

It's a 'script' that does something bad, not a virus. It's not even close to a macro 'virus'. You could call it a trojan by a far call.

Re:Why must Sun (1)

BosstonesOwn (794949) | more than 6 years ago | (#19225123)

It still does something you don't want it to ! What if it ran a simple wget command with uname as input? downloaded a nice little app to your tmp , maybe execute a bug for escalated privaledges and starts chowning your box ?

Your tmp is read and write but not execute right ? Or your home directory ? Plenty of things it could do. hook a script to an alias , so when you type a simple command like ls it starts up a nice spam engine.

Lots of creative uses for the execution of a script.

Lords of grammer please don't smyte me ;)

Re:Why must Sun (1)

bkr1_2k (237627) | more than 6 years ago | (#19225115)

Not to be thick, but since when has security been a selling point for OO? I've heard a lot of things about OO over the years, but not once have I heard, or spoken of security as a selling point. Have I (and all my friends) been out of the loop somehow?

Most people don't consider security when they're thinking of writing a document. They think about how they format their documents, how people will read their documents, and how much that will cost them. Other than that, I think most people don't give a damn. Security just isn't a factor for a word processor in most users minds.

Is it AIDS? (0)

Anonymous Coward | more than 6 years ago | (#19224559)

I mean come on. The worst possible publicity for Open Office would be, "Oh, yeah, I used it once. Then....BAM! AIDS!"

What's the problem (0)

Anonymous Coward | more than 6 years ago | (#19224687)

The net community should embrace these viruses which encourage open, peer-to-peer sharing of documents?

In the darkest nightmares of Linux geeks.... (3, Funny)

jd (1658) | more than 6 years ago | (#19225143)

....Just when you thought it safe to go back to the wordprocessor....

(Cue screen of XRoach for no obvious reason)

....from the darkest of nightmares comes a haunting tale of OpenOffice viruses.....

(Images from DOOM, for the oblig. explosions and gratuitous violence)

....an innocent who went too far....

(Typing on an XChat console, the first related scene so far but still stupid)

....amongst the ruins of a once-great empire....

(Scene shifts to Sun Microsystems and then to the OpenOffice group - vaguely related, sort of)

....and the darkest passions of a genius....

(Switch to any old virus research lab, nobody can tell them apart)

(Switch to a movie certificate for Open Virus, the Movie, rated C++)

Microsoft says open source violates 235^H6 patents (1)

Filter (6719) | more than 6 years ago | (#19225325)

Oh great, one more MS patent to worry about.

Trust (3, Interesting)

Carcass666 (539381) | more than 6 years ago | (#19225361)

Scripting is a very important part of Office productivity suites. This is not going to change. But what does have to change is the notion of "I'll just toss in a macro with my document/spreadsheet". In reality, macros can get so complex, especially with Microsoft Office's ability to set up references to COM libraries, anything but the simplest macros require careful distribution.

Documents and spreadsheets should not have macros. Ever. The Office vendors need to make it a lot easier to create macro files that are distributed differently than document files. If you have to send along macros to recalc/resort a spreadsheet or something, they should go in a different file. When you open the macro file, the Office app should state which macros that are being activated, and give you the option to use them temporarily or permanently, and by default do not allow them access to the file system unless you specify otherwise, etc. Enabling/disabling macros is not enough, there needs to be levels of trust.

Certificates are good things, especially if you are a company that uses macros a lot internally. But for an individual, getting a code signing certificate by a trusted authority is cost prohibitive and difficult. The Office macro engines simply need to do a better job of limiting the exposure to macro vulnerabilities and make it easier for Joe User to distribute macros in a "responsible" manner.

Re:Trust (1)

inquisitor (88155) | more than 6 years ago | (#19225655)

Some of this is done in MS Office 2007 - new-style Office documents with macros embedded are indicated with a .docm, .xlsm, .pptm type extension (as opposed to .docx, .xlsx, .pptx). What's more, Office refuses to open the document if it's renamed to the non-macro containing extension, giving a "file corrupted" error. Even then, Office is set to refuse to run all macros that aren't "trusted" by default, so it gives an information bar saying that macros are disabled and giving you a chance to enable depending on the document.

Now, if they just stop hiding extensions by default in Windows we're all set, although at least macro-enabled documents have a different file icon (with a red exclamation mark in it).

Exactly how is this going to affect OO? (1)

camsbad (200182) | more than 6 years ago | (#19225993)

Despite Sun's OpenOffice.org developer Malte Timmermann's claims to the contrary, this kind of embedded scripting attack represents a real threat to OpenOffice.org users.
I don't understand how this could threaten OpenOffice.org, M$ has been allowing this for 20 years and look where they are. Do folks actually think that because some lame virus that depends on at least 2 other programs being installed to work, actually "represents a real threat"??

Nothing here, move along now ...
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...