Slashdot Mirror

← Back to Stories (view on slashdot.org)

First OpenOffice Virus, Not In the Wild

Posted by kdawson on from the raucous-laughter-in-Redmond dept.

NZheretic writes "According to APCmag, the first cross-platform OpenOffice.org virus — 'SB/Badbunny-A' — was emailed directly to Sophos from the virus developers. The proof-of-concept virus affects Windows, Mac OS X, and Linux systems and uses different methods on each. It has not yet been seen in the wild. Despite Sun's OpenOffice.org developer Malte Timmermann's claims to the contrary, this kind of embedded scripting attack represents a real threat to OpenOffice.org users. Back in June 2000 when Sun first announced the open sourcing of OpenOffice.org, the twelfth email to the open discussion list put forward a two-part solution for providing OpenOffice users with Safe(r) Scripting using restricted-mode execution by default and access by signed digital certificates. In October 2000 the issue of treating security as an 'add-on' feature rather than as a 'system property' was again raised. Is it time to now introduce such measures to the OpenOffice.org Core to greatly reduce any future risk from scripted infections?"

15 of 169 comments (clear)

  1. The real solution by Rix · · Score: 4, Insightful

    Is to stop enabling scripting by default in software that has no real need of scripting. Hasn't even Microsoft learnt this by now?

    1. Re:The real solution by truthsearch · · Score: 4, Insightful

      Ever work in a financial company? Some live almost entirely off of their scripted Excel spreadsheets. There is a lot of value in allowing spreadsheets to support scripting. But it's the abilities of those scripting languages that's a real problem. Just like JavaScript needs to be limited in scope within a web browser, so too should the spreadsheet scripts. Unfortunately these office suite scripts are often used for things like disk access to import data.

      --
      Developers: We can use your help.
    2. Re:The real solution by needacoolnickname · · Score: 4, Insightful

      What is an untrustworthy website?

    3. Re:The real solution by radarsat1 · · Score: 2, Insightful

      Unfortunately these office suite scripts are often used for things like disk access to import data.


      And that, of course, is almost directly related to the fact that the MS file formats are closed. With an open format like ODF, scripts for importing data aren't critical, since it's quite easy instead for a program to export it in the proper format, or to write an external script or program to transform data into ODF format. After all, it's XML.

      Unfortunately MS has trained industry to rely on scripting to do basic things that should be done in other ways, just for the sake of not having to divulge file format details.

      But in any case, I agree with the opinion expressed elsewhere in the comments that scripting isn't inherently bad, but it should be limited in ability by default. If a company needs unprotected scripting so badly, I don't see why their IT department can't just deploy it with the correct defaults.
    4. Re:The real solution by LiquidCoooled · · Score: 2, Insightful

      Don't open email attachments of an unknown sender

      Many people get viruses (appearing to come) from well known trusted sources, so this advice is wrong.

      The correct thing to say is:

      Don't open unsolicited attachments or files, ever .

      If in doubt, speak to the sender and confirm its validity.

      --
      liqbase :: faster than paper
    5. Re:The real solution by fluffman86 · · Score: 3, Insightful

      I really like McAfee SiteAdvisor to help me decide. It's available as a Firefox extension and turns green if a site is not known to have any bad downloads or send unwanted emails. It's gray if unknown, and red if a site has malicious downloads or sends out a lot of emails. It's by no means an excuse for not using your brain FIRST, but it helps sometimes.

  2. Documents shouldn't run code by Anonymous Coward · · Score: 4, Insightful

    Documents shouldn't run scripts unless explicitly authorized to do so. That goes for word processors, spreadsheets, PDF readers, email clients and web browsers. The problem is that the world is full of dickheads who needlessly distribute documents that require executing script, so users end up clicking yes every time.

    Imagine how few viruses and trojans there would be if requiring script was the exception rather than an unfortunate rule.

    Oh well, we can all dream.

  3. Why must Sun by gillbates · · Score: 3, Insightful

    Copy even Microsoft's mistakes?

    I mean, really. We've known about macro viruses for 20 years, and the danger of putting executable code in documents for about the same, and yet, in 2007, an open-source application, backed by a major UNIX vendor is released with this vulnerability?

    Apparently many eyes do not make bugs shallow. I guess the community was asleep at the switch. Or maybe, something in the process is broken. Or maybe Sun just doesn't care.

    Now, lest you think this a troll, consider: Security and virus immunity have been a big selling point for open source systems. Until now. Sun is a large player in the open source arena, and this makes everyone else - secure or not - look bad. Security was the major selling point for OO, and now that it's questionable, I'm not sure where Sun is going to go with this: they can't compete with Microsoft on features, OO is far from a universal standard (which means you're going to be plagued with interoperability issues), and OO's last major selling point is that it is free as in beer.

    --
    The society for a thought-free internet welcomes you.
  4. Re:yet another bogus Linux 'virus' story .. by geekoid · · Score: 2, Insightful

    I don't know of any wide distro that doesn't have Perl or xchat.
    Getting write and execute permissions is a concern. Because they wider the Linux audience, the more people will want to double click on an attachment to see the 'dancing ponies' or whatever.

    Sad, but true.

    --
    The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
  5. Most people don't work in financial companies by Rix · · Score: 2, Insightful

    Those that do can enable scripting. There's no reason to expose the vast majority who will never, ever, use that functionality to the risk. Which is why I said "disable by default" and not "rip it out and burn it".

    You are correct that vulnerable functionality should be in a protected wrapper. However, this will simply reduce, not eliminate shenanigans. Clever monkeys will still find a way.

  6. Re:saving Grandma from Linux .. by Anonymous Coward · · Score: 1, Insightful

    Thank god /usr/bin is read-only! Its sentimental value is irreplaceable. Grandma can, of course, get /home back off the install disks. Hey, wait.

  7. Re:So what's this virus going to do again??? by BosstonesOwn · · Score: 1, Insightful

    whereis insert_mailapp_here?

    because we all uninstall everything we don't use right? you fail to see that they can be written to use other apps, this just happens to use mirc or xchat.

    never underestimate a determined thief.

    --
    This package Does Not Contain a Winner
  8. Re:OO already does that. by Macthorpe · · Score: 4, Insightful

    OO's default is to not run macros. The user get's a warning and has to say "yes" to the thing. This is the best that can be done and still be "compatible" with M$ Office. Isn't this the exact same 'security feature' that you've been saying is so shit about Vista?
    --
    "It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
  9. virusscanner bloat by pe1chl · · Score: 2, Insightful

    was emailed directly to Sophos from the virus developers ... who dutyfully included it in their signature database, so it will be looked for in millions of computers even though it is not in the wild.

    meanwhile, our computers get slower and slower. virusscanners eat up lots of resources and become ever slower. I recently noticed clamav takes 13 seconds to scan an infected .scr file of 16kb before deciding that it is safe (because it not yet had the signature).

    wouldn't it be time that antivirus companies slim down the signature lists a bit. of course it is cute to boast a "number of signatures" above 100.000, but who is really getting benefit from the scanning of all those hypothetical viruses?

  10. Not just finance companies - even departments by jimicus · · Score: 3, Insightful

    In any company, there's a whole bunch of departments other than IT.

    Those departments don't always fancy calling the IT department when they have an IT requirement - particularly if it doesn't seem that complicated. There is always someone in the department who knows their way around Excel (and possibly Access) better than any of their colleagues. So they cobble something together in some 'orrible mess of VB macros linking who knows what files, referential integrity or scalable design be damned.

    Were you to audit any sizeable business for spreadsheets made somehow interactive with scripts and badly designed databases thrown together in Access, I guarantee you'd be amazed and disturbed in equal measure. And you really don't want to start trying to figure out which ones have somehow become critical to the business.

    This has been going on for years. Try taking that functionality away today, you might as well suggest replacing their computers with slide rules.