Slashdot Mirror

← Back to Stories (view on slashdot.org)

First OpenOffice Virus, Not In the Wild

Posted by kdawson on from the raucous-laughter-in-Redmond dept.

NZheretic writes "According to APCmag, the first cross-platform OpenOffice.org virus — 'SB/Badbunny-A' — was emailed directly to Sophos from the virus developers. The proof-of-concept virus affects Windows, Mac OS X, and Linux systems and uses different methods on each. It has not yet been seen in the wild. Despite Sun's OpenOffice.org developer Malte Timmermann's claims to the contrary, this kind of embedded scripting attack represents a real threat to OpenOffice.org users. Back in June 2000 when Sun first announced the open sourcing of OpenOffice.org, the twelfth email to the open discussion list put forward a two-part solution for providing OpenOffice users with Safe(r) Scripting using restricted-mode execution by default and access by signed digital certificates. In October 2000 the issue of treating security as an 'add-on' feature rather than as a 'system property' was again raised. Is it time to now introduce such measures to the OpenOffice.org Core to greatly reduce any future risk from scripted infections?"

8 of 169 comments (clear)

  1. The real solution by Rix · · Score: 4, Insightful

    Is to stop enabling scripting by default in software that has no real need of scripting. Hasn't even Microsoft learnt this by now?

    1. Re:The real solution by truthsearch · · Score: 4, Insightful

      Ever work in a financial company? Some live almost entirely off of their scripted Excel spreadsheets. There is a lot of value in allowing spreadsheets to support scripting. But it's the abilities of those scripting languages that's a real problem. Just like JavaScript needs to be limited in scope within a web browser, so too should the spreadsheet scripts. Unfortunately these office suite scripts are often used for things like disk access to import data.

      --
      Developers: We can use your help.
    2. Re:The real solution by needacoolnickname · · Score: 4, Insightful

      What is an untrustworthy website?

    3. Re:The real solution by fluffman86 · · Score: 3, Insightful

      I really like McAfee SiteAdvisor to help me decide. It's available as a Firefox extension and turns green if a site is not known to have any bad downloads or send unwanted emails. It's gray if unknown, and red if a site has malicious downloads or sends out a lot of emails. It's by no means an excuse for not using your brain FIRST, but it helps sometimes.

  2. Documents shouldn't run code by Anonymous Coward · · Score: 4, Insightful

    Documents shouldn't run scripts unless explicitly authorized to do so. That goes for word processors, spreadsheets, PDF readers, email clients and web browsers. The problem is that the world is full of dickheads who needlessly distribute documents that require executing script, so users end up clicking yes every time.

    Imagine how few viruses and trojans there would be if requiring script was the exception rather than an unfortunate rule.

    Oh well, we can all dream.

  3. Why must Sun by gillbates · · Score: 3, Insightful

    Copy even Microsoft's mistakes?

    I mean, really. We've known about macro viruses for 20 years, and the danger of putting executable code in documents for about the same, and yet, in 2007, an open-source application, backed by a major UNIX vendor is released with this vulnerability?

    Apparently many eyes do not make bugs shallow. I guess the community was asleep at the switch. Or maybe, something in the process is broken. Or maybe Sun just doesn't care.

    Now, lest you think this a troll, consider: Security and virus immunity have been a big selling point for open source systems. Until now. Sun is a large player in the open source arena, and this makes everyone else - secure or not - look bad. Security was the major selling point for OO, and now that it's questionable, I'm not sure where Sun is going to go with this: they can't compete with Microsoft on features, OO is far from a universal standard (which means you're going to be plagued with interoperability issues), and OO's last major selling point is that it is free as in beer.

    --
    The society for a thought-free internet welcomes you.
  4. Re:OO already does that. by Macthorpe · · Score: 4, Insightful

    OO's default is to not run macros. The user get's a warning and has to say "yes" to the thing. This is the best that can be done and still be "compatible" with M$ Office. Isn't this the exact same 'security feature' that you've been saying is so shit about Vista?
    --
    "It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
  5. Not just finance companies - even departments by jimicus · · Score: 3, Insightful

    In any company, there's a whole bunch of departments other than IT.

    Those departments don't always fancy calling the IT department when they have an IT requirement - particularly if it doesn't seem that complicated. There is always someone in the department who knows their way around Excel (and possibly Access) better than any of their colleagues. So they cobble something together in some 'orrible mess of VB macros linking who knows what files, referential integrity or scalable design be damned.

    Were you to audit any sizeable business for spreadsheets made somehow interactive with scripts and badly designed databases thrown together in Access, I guarantee you'd be amazed and disturbed in equal measure. And you really don't want to start trying to figure out which ones have somehow become critical to the business.

    This has been going on for years. Try taking that functionality away today, you might as well suggest replacing their computers with slide rules.