Slashdot Mirror
Exploitable Buffer Overflow in OpenOffice.org
Memorize writes "It turns out that OpenOffice.org can't read MS Office documents safely, either. A buffer overflow in OpenOffice.org has been confirmed and would allow an attacker to write a specially-constructed .doc file that will take control over an OpenOffice.org user's machine. This vulnerability is exploitable and it exists on every computer with OpenOffice 1.14 or 2.0b installed. OpenOffice.org will have a fix ready within days, but how quickly will Linux users patch? This paves the way for Linux users to be vulnerable to a virus that spreads by sending itself as email attachments which unsuspecting users then open. Could the first real Linux virus be drawing near?" Not from the sound of it: the article says that users would still have to be convinced "to open a malicious document with an unpatched application."
Not from the sound of it: the article says that users would still have to be convinced "to open a malicious document with an unpatched application.
While running openoffice as root...
Not to mention that you don't need openoffice for this at all. If you can convince somebody to open a rogue document, you probably can convince them to run some application or script. Either way... Not root? Not a problem.
Is OO running setuid root for some reason?
"The slave who knows his master's will and does not get ready...will be be beaten with many blows."Luke 12:47-48
WTF, an eweek article for non-technical people, no real security advisor about the flaw? Is the malign injectable code plataform-specific? Does it uses the OOo macro languaje (I doubt it since it needs a .doc format, but who knows), or calls 'real' functions from the host plataform?
Articulos para gente geek: Poleras, linux, libros y mas
Regardless of whether or not users would have to open a malicious document with an unpatched application, I think the story poster is reasonable when positing the opinion that Linux viruses may be on their way. Daily, Microsoft users open malicious documents in their email with unpatched applications.
Certainly, not all Linux users are power users, and even then they may or may not be aware of whether or not their application needs to be patched, or could be duped into opening an email.
The OpenOffice developers MUST be copying Microsoft code!
"Freedom means freedom for everybody" -- Dick Cheney
would be dumb enough to open up a .doc file that they didn't expect or didn't know who it came from. Expecially after this.
Could the first real Linux virus be drawing near?" Not from the sound of it: the article says that users would still have to be convinced "to open a malicious document with an unpatched application." Hmmm, so, Linux is secure because its users are more intelligent than windows users? Or is it that Linux is such a pain in the ass to use as a desktop OS that you have no choice but to have a PHD in CS to use it and therefore would know not to open an unknown atachment. I just love the double standards. PS - I know quite a few people that use Linux as a desktop OS that would blindly open an attachment.
-- http://anonet.org -- The internet the way it was meant to be. Check it out, you may be surprised.
For that matter, isn't that the very definition of a virus, as opposed to a worm?
What I'm listening to now on Pandora...
Then there would never be buffer overflow exploits.
0 3/28/2218246
See http://developers.slashdot.org/article.pl?sid=05/
You can have your god back when you are old enough to handle the responsibility.
I think concerns about the vulnerability from this are overstated. Especially since 2.0 is in beta, so the official version will contain the fix.
In which case, this is really a reason why there will be at least one less vulnerability.
All opinions expressed herein are my own, and not those of my employers, who are appalled.
So, what's the problem? Just don't open any .doc files as root for a few days.
The Ludwig von Mises Institute. The reasoning individuals economics
For example, there was a priviledge escalation vulnerability in pretty much all kernel versions around Christmas time. I was running Mandrake at the time, and counted how long it would take to get a fix. I think it finally appeared in the automated update section a month later in the form of a package of kernel source code - no installer, nothing. I tried compiling and installing it, but it failed to boot so catastrophically that I just gave up and switched distros (I'd been planning to ditch Mandrake for a while now). The point is, even with Windows with its "Click-Click and you're done!" security updates, few people bother to update. How are they going to respond when they have to re-compile their fucking kernel (presumably tracking down and copying across their old kernel first)? Answer: they're not, and so any exploit like the one in TFA will leave you rooted.
One area where Linux is perhaps a little more safe stems from the marked heterogenity of Linux environments - people are always whinging about how hard it is to install legitimate software (I've never really had a problem myself, for the record, and consider the LinuxWay superior to that of Windows, assuming a nice, up-to-date and complete repository) but the fact is that a keylogger can run with very few dependencies, and even then any libraries it needs can be compiled in, so we can scratch this one, too.
For all the accusations of FUD this article will receive, I can't help but worry about the future of Firefox & Linux et al. What would be nice is if people used "safer" languages like Python etc - heck, even using C++ with a template library that bounds-checked every access would be an improvement, and easily worth the minor performance hit. Thoughts?
A possible software exploit that could possibly be exploited on a linux system (or windows
If someone finds a virus/worm/trojan on the windows platform that has definantly comprimised thousands of systems and all you get is a little alert to say please update your virus definitions
This Should say more about linuxs reputation and record for security for security than anything.This will already be patched i imagine (must check that and apt-get an update) and there are no known exploit sofar as linux virii being around the corner . they are already here but if we keep our systems up to date (most linux distros aimed at non power user will have an auto update feature (most aimed at power users do now too)) and the kernel carrys on getting updated and patched and secured we have nothing to worry about.
The people who do have to worry are the makers of distros for new non tech users who do not have the best record for out of the box security
The only things certain in war are Propaganda and Death. You can never be sure which is which though
The fix for Gentoo bug #88863 was marked stable for x86 yesterday. Sometimes there's some value in compiling your own.
Yeah, I'm a fanboy.
WTF? What, we should not open any documents at all now?
I mean, you don't expect what is essentially a text document to crack your machine. Imagine if someone could send you a PDF that did the same thing. Are we then not suppose to open any PDF documents any more?!
There are no buffer exploits in Java apps because there are no buffers. At the worst an attacker could get the Java app to do something stupid but he can't trick it into executing code. Why we still write applications in non-safe languages like C and C++ mystifies me. Don't say, "because Java is slow" or "Swing sucks". Anyone who has experience with Netbeans will know that Java can be fast and you can do some amazing things in pure Swing.
And this just begs the question: What are these people doing, where such that they could allow such a blunder? Isn't this the kind of mistakes that coked-up... Oh. Wait. This is NOT a Microsoft product? Oh. SORRY!
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
All six people running OO sure are going to be in trouble!
Correct, I think you and I are making the same point. You don't expect "what is essentially a text document" to make your machine compromised in any way. Unfortunately, the sad truth is that those documents can, and in my opinion, will, someday.
Unfortunately, it is sometimes difficult to ascertain whether or not a document is legit or a forgery. Granted, for many readers that is a rare case, but others may view their mail in a much more haphazard fashion.
As more and more people start using Linux, more and more people are going to be running the risk of a malicious file executing code because they program or document doesn't do what they expect it to do. And as a poster before put it, that is exactly the definition of a virus.
The patch is available here:r c/1.1.4secpatch/
4 6388
c us/bugtraq/2005-04/0150.html
http://ftp.stardiv.de/pub/OpenOffice.org/contrib/
Here is the issue:
http://www.openoffice.org/issues/show_bug.cgi?id=
And the BugTraq report:
http://www.derkeiler.com/Mailing-Lists/securityfo
I don't particularly have any concerns about vulnerability. In my experience, OpenOffice freezes the X session so frequently, you're not going to open any document you don't absolutely HAVE to open.
My concern is primarily that so many Linux users have had a false sense of security instilled by the repetition of "Linux isn't vulnerable to virus infection". This makes them *more* vulnerable when a vulnerability pops up, and there's no way to be sure how MUCH more vulnerable. The human element is always the weakest link.
Microsoft cheerleader, blue flag waving, you got a problem with that?
OpenOffice.org will have a fix ready within days, but how quickly will Linux users patch?
However long it takes emerge to finish. Duh.
Yay for binary formats, they're so easy to perfectly parse. Oh wait...
If "design[ing] from the ground up to be more secure" is actually a point of the open source movement it is a mistake. After a certain amount of complexity, people are sure to inadvertantly write buggy programs. There's nothing wrong with trying to design secure programs from the start, but inevitably bugs will be found. Therefore to promise secure design from the start is a lie.
The free software movement, by contrast, avoids that lie because it offers a different message. The free software movement's message says that free software is inherently better because people have the freedom to share and modify free programs. Thus when bugs are discovered they can be fixed and the fixed version can be shared with the community. Nowhere does the free software message hinge on secure design from the start, however secure-by-design may be another side effect of the freedoms of free software. It makes far more sense to admit that humans are fallible, regardless of intention, and will design insecure software as a result.
For more on the differences between the movements, please read the FSF's essay.
Digital Citizen
Actually, a virus is a bit of executable stub code that spreads by attaching itself to other executables.
Malware which erupts when the user 'opens a malicious document' is a trojan.
This paves the way for Linux users to be vulnerable to a virus that spreads by sending itself as email attachments which unsuspecting users then open. Could the first real Linux virus be drawing near?
No. Not unless you are for some ungodly reason running your OpenOffice as root and reading your email with it. The virus could not replicate to the operating system, so it's impact is minimal . Yes, it *could* delete the contents of your ~/. But you have that backed up, right? Right.
A lot of people have been arguing that Linux is safe from viruses because users don't run as root unless they need to.
A virus, worm, or trojan would not need to run as root to be effective. You don't need root to save programs to my home directory and execute them, or to send email. You don't need root to read almost every file in the file system (on most default setups). You don't need root to listen on high ports.
The real reasons why Linux has fewer viruses:
Executable flag:
If a file is saved to the disk, and the user somehow attempts to execute it, it'll fail to run unless the program that saved it explicitly marked it as executable. Most email viruses depend on Windows' lack of this feature.
Containment:
Running as a limited user makes it a lot easier to contain and clean malware. Damage is mostly restricted to the user's home directory. Installed programs are generally unaffected. They can't install browser spyware. A malware infection won't get so bad that you have to reinstall the operating system.
User demographic:
Most Linux users know better than to get infected by a virus, on any operating system. My Windows PC's have always been virus-free. Plus, most Linux users prefer open source, making it very hard to bundle spyware and adware.
Learning curve:
On the other end of the spectrum, grandma will have a steep learning curve to figure out how to infect her Linux system with a virus if she ever gets one. Someone who has figured out the simple task of logging in as root, marking a file as executable, and running the file probably knows how to avoid malware, which is handy because such knowledge is likely to be a prerequisite to installing said malware. The easiest way to install software on Linux is from a trusted repository.
Malware writers:
Taking into account all of the above, and the market share of Linux among computer illiterates, Linux is not the best target for malware. If they had to choose between 2% of Windows users, or 0.01% of 1/10th as many Linux users, they'd choose to target Windows users.
Exploits are published every week, and occasionally a Linux virus is written and released, but very few Linux users in the world have ever seen a Linux virus, or know someone who has. Who wants to write a virus that'll infect just a few hundred systems at most, or market adware and spyware installing software to a demographic that prefers open source?
Ha-ha-a!
If I really am talking out of my ass...explain it to me with respect so I'll at least pull my ears out to listen.
My friends have this odd tendancy to send cute little powerpoint presentations to me. Some of them are rather neat (like one showing the stages in creation of an airport raised from the ocean). I tend to use OO to open them because it won't execute some of the nasty macroviruses etc that MS Office might... but it appears one still has to be wary.