Slashdot Mirror
First OpenOffice Virus, Not In the Wild
NZheretic writes "According to APCmag, the first cross-platform OpenOffice.org virus — 'SB/Badbunny-A' — was emailed directly to Sophos from the virus developers. The proof-of-concept virus affects Windows, Mac OS X, and Linux systems and uses different methods on each. It has not yet been seen in the wild. Despite Sun's OpenOffice.org developer Malte Timmermann's claims to the contrary, this kind of embedded scripting attack represents a real threat to OpenOffice.org users. Back in June 2000 when Sun first announced the open sourcing of OpenOffice.org, the twelfth email to the open discussion list put forward a two-part solution for providing OpenOffice users with Safe(r) Scripting using restricted-mode execution by default and access by signed digital certificates. In October 2000 the issue of treating security as an 'add-on' feature rather than as a 'system property' was again raised. Is it time to now introduce such measures to the OpenOffice.org Core to greatly reduce any future risk from scripted infections?"
Is to stop enabling scripting by default in software that has no real need of scripting. Hasn't even Microsoft learnt this by now?
So how long should we count down to until someone embeds the backdoor from hell in not only Linux, but Solaris, then the BSD's... As an FYI... I've got a functional backdoor-worm for Free and Open ... Just makes no sense to even post it. Many don't even get what I mean when I state "there is a world of pain coming your way if you do that" ... Mark the calendars, I give it about 9 months before something ala SOBig/Blaster hits the *nix scene...
Infiltrated dot Net
How does one come up with a name like "SB/Badbunny-A"? Virus names never make sense to me.
Documents shouldn't run scripts unless explicitly authorized to do so. That goes for word processors, spreadsheets, PDF readers, email clients and web browsers. The problem is that the world is full of dickheads who needlessly distribute documents that require executing script, so users end up clicking yes every time.
Imagine how few viruses and trojans there would be if requiring script was the exception rather than an unfortunate rule.
Oh well, we can all dream.
I realize this is just my case, but I only need Linux and I use Koffice for my office needs. I lack enough technical knowledge to prove it but it seems faster and lighter than OpenOffice. Are there any other free (either type) office packages on Windows? How about Mac?
Scripting itself is a virus that spreads through programmers: once a programmer has seen scripting somewhere it doesn't belong, he feels a sudden urge to add scripting to the project he's working on.
:BEGIN HUMOR:
Well, finally OpenOffice has become a viable Office Suite, having finally added the most notable features of Office, namely script exploit capabilities. It's about time... now there is nothing keeping people from switching to OO!!!
:END HUMOR:
StarTrekPhase2 - The Five Year Mission Continues!
So I open this OO doc in Linux.... is it going to read my address book and email itself to other people? No, OO does not have access to my Thunderbird address book.
Is it going to infect other binaries in my system? No, they're only writeable by root.
Oh wait this is how it works:
"SB/BadBunny-A spreads by dropping malicious script files that affect the behavior of the popular IRC programs mIRC and X-Chat, causing them send SB/BadBunny-A to other users. These malicious script files are named badbunny.py (for XChat) and script.ini (for mIRC, overwriting the existing mIRC file) and are also detected as SB/BadBunny-A."
So.. this "virus" relies on some twisted assumption that I use XChat, to send itself to other people RUNNING XCHAT, NOT OPEN OFFICE?!?
So tell me again how this is a virus? If I email you a shell script named "Click me.sh" than runs "rm -Rf ~/", is that a virus too?
This worm or virus depending on who is saying it, requires Perl, XChat and write and executable access to be able to run. None of which applies to any self respecting Linux users computer. Yet another bogus Linux 'virus' article. Must be a slow day for real news.
"They are attacking the vulnerability of people's brains ", Graham Cluley, Sophos
davecb5620@gmail.com
Copy even Microsoft's mistakes?
I mean, really. We've known about macro viruses for 20 years, and the danger of putting executable code in documents for about the same, and yet, in 2007, an open-source application, backed by a major UNIX vendor is released with this vulnerability?
Apparently many eyes do not make bugs shallow. I guess the community was asleep at the switch. Or maybe, something in the process is broken. Or maybe Sun just doesn't care.
Now, lest you think this a troll, consider: Security and virus immunity have been a big selling point for open source systems. Until now. Sun is a large player in the open source arena, and this makes everyone else - secure or not - look bad. Security was the major selling point for OO, and now that it's questionable, I'm not sure where Sun is going to go with this: they can't compete with Microsoft on features, OO is far from a universal standard (which means you're going to be plagued with interoperability issues), and OO's last major selling point is that it is free as in beer.
The society for a thought-free internet welcomes you.
I think it's satire.
I hope it's satire.
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
If "it is TECHNICALLY IMPOSSIBLE for a Mac, or Linux machine to malfunction in any way, from any cause", then what's wrong with your keyboard?
There is a spark in every single flame bait point.
I should have put a bit more thought into that.
I read this all the time. Don't go to untrustworthy websites.
What should one do? Should they run a whois on every site before going to it? Should they then run a background check on the site owner and the technical contact, if it's not bogus or private? What if it is? Then what does a person do?
People who go to warez sites or any movie/music download site they can find off a search engine deserve what befalls their computer - because one has to take risk for a reward. If they don't want to pay for something that is for sale or go through the effort to find it a wee bit less conspicuously then their computer be damned.
Past those people though, what info would you give grandma about going to a trustworthy web site when what she really wants is some nice wallpaper and screensavers?
OOo's problem IMHO is that it's an old program suite masquerading as new material. The backwards compatibility, which is necessary to its continued growth, is its albatross.
I am a developer, but the caveot is I don't know jack about the code and its current iteration. I could and may be way off base, but here goes anyway.
The only way you'll ever address it is to start. From scratch. Build the core of the program with security in mind. Converters have to pass through that core security layer. Add-ons need to pass through that layer. Even your own code has to.
Of course the manpower needs of this would be tremendous so it'd never happen.
But Google's doing something similar - they basically seem to have started from scratch and they pass all the apps through their backend, which presumably is superior to most work done on OOo or MS Office.
How will Grandma do any damage if she don't have root access. Can you point me to a URL or email me a link that runs venomous from a mouse click.
davecb5620@gmail.com
OpenOffice really does violate Microsoft patents. /ducks
Those that do can enable scripting. There's no reason to expose the vast majority who will never, ever, use that functionality to the risk. Which is why I said "disable by default" and not "rip it out and burn it".
You are correct that vulnerable functionality should be in a protected wrapper. However, this will simply reduce, not eliminate shenanigans. Clever monkeys will still find a way.
(Cue screen of XRoach for no obvious reason)
(Images from DOOM, for the oblig. explosions and gratuitous violence)
(Typing on an XChat console, the first related scene so far but still stupid)
(Scene shifts to Sun Microsystems and then to the OpenOffice group - vaguely related, sort of)
(Switch to any old virus research lab, nobody can tell them apart)
(Switch to a movie certificate for Open Virus, the Movie, rated C++)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Oh great, one more MS patent to worry about.
"better ways of doing things eventually just replace the inferior things" - Linus Torvalds 09-08-07
Scripting is a very important part of Office productivity suites. This is not going to change. But what does have to change is the notion of "I'll just toss in a macro with my document/spreadsheet". In reality, macros can get so complex, especially with Microsoft Office's ability to set up references to COM libraries, anything but the simplest macros require careful distribution.
Documents and spreadsheets should not have macros. Ever. The Office vendors need to make it a lot easier to create macro files that are distributed differently than document files. If you have to send along macros to recalc/resort a spreadsheet or something, they should go in a different file. When you open the macro file, the Office app should state which macros that are being activated, and give you the option to use them temporarily or permanently, and by default do not allow them access to the file system unless you specify otherwise, etc. Enabling/disabling macros is not enough, there needs to be levels of trust.
Certificates are good things, especially if you are a company that uses macros a lot internally. But for an individual, getting a code signing certificate by a trusted authority is cost prohibitive and difficult. The Office macro engines simply need to do a better job of limiting the exposure to macro vulnerabilities and make it easier for Joe User to distribute macros in a "responsible" manner.
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
The sadness of your post is that your attitude will increase the chance for insecurity . it's not secure just because it's linux/mac or whatever . it's secure because of the effort people put in it , because of their awareness to security . The funny thing about security is that a heavy breach in security usually leads to better security , while blindly believing that you are secure leads to some insecurity .
Slipping shoelaces ?
Oooh... I wonder how that will work on Vista?
Vista: Open Office wants permission to generate a pop-up requesting approval to run a possibly malicious script... Cancel/Allow
...Allow
OO: OO needs permission to run a script... Cancel/Allow
...Allow
Vista: Open Office is trying to run a script... Cancel/Allow
...Allow
Vista: Steve Ballmer is about to throw a chair at you... Allow/Duck & Allow
StarTrekPhase2 - The Five Year Mission Continues!
My previous posts have heaped enough criticism on OOo, so I won't do that here, no matter how good it might feel to vent my frustration.
What I want to do is figure out why OpenOffice is such a steaming pile of crap. Why would someone want such a slow, bloated program? Who decided it would be a good idea to turn on scripting by default? When are they going to make a decent user interface?[1] Well, I think I've figured out a few places where OOo is not like other open source software. Perhaps we could learn some lessons from this.
OSS starts out by "scratching an itch", as the wisdom goes, but OOo did not start that way. It started with StarOffice, proprietary software acquired by Sun and then open sourced. A heartfelt thank you from me to Sun, but unfortunately, open-sourcing the software has not made it better. Instead, I suspect that little pieces here and there have been added to the StarOffice code, until the software became an incongruous quiltwork that did not run smoothly. I mean, Java for some things but not others? No way to insert current date as text? (Have they fixed that in recent versions, by the way?)
Or maybe that wasn't it; instead, perhaps it was the management that dictated the features. "My daughter says MS Word has SuperMacro ScriptEnhance-o-rama," said the manager, "and I told her, OpenOffice will have it, too!"
Or maybe it was (heaven forbid) an actual developer who decided that changing the font on the main text would not change the font within a table?
I mean, it's hard to imagine that they did any sort of usability testing at all. What it does feel like is that they were trying to keep up with Microsoft Office while forgetting about the spirit of OSS.
Can someone offer insight into what happened? Because I wouldn't want that to happen to any other OSS project. (Firefox, are you listening?) Ironically, although I fear that Firefox may be starting to suffer the same feature creep as OOo, I think the best thing for OOo to do now is to take a page from the history of Mozilla: scrap the code. Mozilla did it, and it took over a year, but when they finished, it was a masterpiece that everyone could be proud of.
So, start over. Stay focused. Otherwise, people will migrate over to AbiWord. You know what, better yet, maybe OOo can send some of their developers over to the AbiWord team, and maybe KWord, too.
Aaargh, the amount of wasted talent that goes into OOo.
-----
End notes: s/OpenOffice[^.]/OpenOffice.org/g --you know what I meant.
[1] "Decent user interface": they can start by not having multiple menu options share the same "underlined letter" shortcut.
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
And this is different from "M$" Office in what way?
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
I still don't quite understand why the hell somebody would like to use scripts in their office documents, especially if they are so capable. Documents are things people send and read without even thinking about, with no expectation that there can be any harm. Why program must be attached to those, rather than some extensions that is independent of the document, which people can only install when they can be expected to know the possible harm?
The kind of "leaky sandbox" that we're seeing here was virtually unknown in the '80s and '90s. If a macro language had any kind of ability to work outside the codument layout itself, it was either restricted to applications where it was a moot point (if the preprocessor for your compiler could run scripts... so what, the code in between the preprocessor directives could do anything) or it was a mistake and the abaility was removed when it was discovered (as in the case of ghostscript).
In 1997 Microsoft introduced Active Desktp, which included a deliberately "leaky" sandbox... controls and scripts that were on pages considered "trusted" could get anything up to full local-user access. In addition, Microsoft responded to Word macro viruses NOT by restricting the scripting language in Word (as expected) but by putting in checks to disable the ability to even examine macros if a document seemed suspicious. And they still haven't learned their lesson.
What's worse, this practise is spreading. While nobody has extended this model nearly as far as Microsoft, Firefox XPI installation involves having a web page request installation of unrestricted macros, and Apple lets you run software installers automatically if the user has left "Open safe files after downloading" enabled.
This kind of thing HAS to stop.
If you design an "inherently safe" scripting language, on ethat does not provide any hooks from *within* the documentto even requests the ability to modify mor ethan the document itself, then any security holes are bugs and can be patched without inconveniencing users. More powerful tools should always be run or installed from outside the document, explicitly under user control, and preferably from a version of the application that doesn't include a mechanism to access remote documents and is not ever invoked from a browser or mail program... or any other application intended to work with untrusted documents.
This design, which used to be taken for granted (the idea of an email worm that could even potentially be run by just viewing an email message used to be a *joke*... everyone *knew* that nobody would be stupid enough to make the Good Times virus real) is not "clumsy" or "inconvenient". It's more convenient than the environment we're in now where applications are perpetually bringing up "Hey! I'm about to do someting stupid! You wanna let me?" dialogs that people reflexively swear at as they approve the stupid action.
We need to turn this around, folks. Bring back the sandbox, don't even include the commands to write files in the sandboxed versions of the macro interpreter, and stop turning the Internet into some kind of bad science fiction movie where the earthlings infect the alien computer from a Powerbook.
Are you going to clarify that, because I was under the impression that offering the user a Yes/No choice when asking to run something risky was exactly what UAC is.
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
was emailed directly to Sophos from the virus developers ... who dutyfully included it in their signature database, so it will be looked for in millions of computers even though it is not in the wild.
.scr file of 16kb before deciding that it is safe (because it not yet had the signature).
meanwhile, our computers get slower and slower. virusscanners eat up lots of resources and become ever slower. I recently noticed clamav takes 13 seconds to scan an infected
wouldn't it be time that antivirus companies slim down the signature lists a bit. of course it is cute to boast a "number of signatures" above 100.000, but who is really getting benefit from the scanning of all those hypothetical viruses?
In any company, there's a whole bunch of departments other than IT.
Those departments don't always fancy calling the IT department when they have an IT requirement - particularly if it doesn't seem that complicated. There is always someone in the department who knows their way around Excel (and possibly Access) better than any of their colleagues. So they cobble something together in some 'orrible mess of VB macros linking who knows what files, referential integrity or scalable design be damned.
Were you to audit any sizeable business for spreadsheets made somehow interactive with scripts and badly designed databases thrown together in Access, I guarantee you'd be amazed and disturbed in equal measure. And you really don't want to start trying to figure out which ones have somehow become critical to the business.
This has been going on for years. Try taking that functionality away today, you might as well suggest replacing their computers with slide rules.
(1) it's a first in the entire product lifetime. Not bad going, consider it a sign that it's becoming mainstream that someone has bothered at all, and it's lab only. How many IN THE WILD infections have we had for Word and Excel so far?
:-).
(2) unlike MS Office, the macro data is clearly documented in the file format (and it's a separate section file in the OO ZIP archive) and you could thus choose to zap that part from a file or, less brutal, that you stand at least a chance of examining what is in it before passing it on to the desktop. Most importantly, you can do such examination without using OO at all. Hell, you could even be perverse and write an examiner in VB
(3) OO isn't just competing on price. There are features in OO that have made me a fan quite a while back. Its word prediction, for instance, is a major efficiency improver if you have to often write documents with complicated or complex names or long terminology. The ability to push out PDF forms from a text document is excellent. The fact that it only has ONE macro language instead of one for each component (VBA for Word VBA for Excel). The fact that presentations export to Flash. The ability to still read Word documents that Word itself crashes on because it FUBARed on formatting (quite a common problem). Etc etc etc. You've not used it long enough IMHO, I'm personally actually getting to a point where Word just doesn't cut it for me anymore. It may look fancy, but it doesn't do the work as well.
(4) worthy of a separate point: an absolute USP IMHO is that OO's interface has not significantly changed over the years. It has always intrigued me that nobody spotted the apparent incongruity between the prevalent feeling that switching to a Linux desktop is too much relearning, yet throwing operators in the deep with a new OS UI AS WELL AS a new Office UI is somehow acceptable. Just imagine how much time could have been saved already if they'd been on OO and were thus not subject to relearning practically everything. That, and the lack for license management is something that impacts TCO downwards..
Insert
Installing applications? I don't need a warning when I'm installing an application. I know that I'm installing an application.
However, I may need a warning that the file that I am opening has a script in in that could be a virus.
Oh, and by the way, have you ever heard of a malicious device driver?
my other sig is also a porsche
Isn't that more of an indication that an operating system does far more than a Word clone?
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
It's not that... PEBKAC.
Clearly you've missed the whole point of UAC. It's designed to let you carry out an action that requires administrative rights, while running under a non-admin account. Ever see that KDE or GNOME root prompt when you open an admin tool? Same thing. If you're installing a driver, it's assumed you are already an administrator and generally know what you're doing, so there's no need for a prompt. If you're running in 32-bits, you get a warning about unsigned drivers. If you're in 64-bits you can't even install unsigned drivers at all.
This is no different than any OS. There are situations where it's assumed you have measure of knowledge and responsibility (ie, a fucking clue) about the task at hand. Peppering you with questions would be downright annoying. Alternatively, you can run under an admin account and never see UAC at all. That's your choice.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
No, the 'default' is to ask you what you want to do.
If you are running under an admin account, it's by choice. Office (and Windows) works perfectly well under non-admin accounts.
This is relevant because...?
Sure. If you're going to admit you're wrong then by all means. If you're going to keep doing the "well M$ is teh worse" logic, then no.
Why don't you just admit you're wrong? Is that so painful?
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
I guess you got it.
boycott slashdot February 10th - 17th check out: altSlashdot.org
[...]
Oh, and by the way, have you ever heard of a malicious device driver? How you never heard of a malicious program? Apparently not. Which is strange, because trust me, there are LOTS of them around in the Windows world. Yes, you know when you're installing an application -- that's the whole point! The prompt is asking you "Have you just double clicked on the installer of a program you wish to install, or have I just popped up seemingly for no reason whilst you were browsing dodgy websites?" If the former, then you click 'allow'; if the latter, you click 'cancel' and go to windowsupdate to download the patch for whatever zero-day Internet Explorer exploit your pr0n website was using to try and install stuff on your computer.
Oh, and regarding malicious device drivers -- Creative's sound card drivers spring to mind
What's purple and commutes? An Abelian grape.
Damn, that's a lot of patents.
What's purple and commutes? An Abelian grape.
Then why does it prompt me EVERY time I open my RSS reader? Including needing a password if I am running in a non-admin user? Why does an RSS reader need admin access?
Malicious device driver? Oh yes, two offhand. Starforce, and Sony's rootkit.
That list sounds quite fine, really.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
I can't think of a scenario where an app like an RSS reader would need admin-type access, so if possible I'd suggest you notify the creators and tell them it breaks in Vista.
What reader is this? Personally I use Google Reader so I'm not familiar with the desktop apps.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
"Installing applications? I don't need a warning when I'm installing an application. I know that I'm installing an application."
Oh wow! A celebrity on Slashdot! Everyone say hello to Dilbert's boss!
"Oh, and by the way, have you ever heard of a malicious device driver?"
They're called rootkits, Jim. Maybe you've heard of them.
Somehow I have a feeling that the joke's gonna be on me: that this guy was just trying to see how dumb people would believe he is, and isn't really that stupid. At least that would preserve my faith in humanity...
You have tried to support your argument with faulty reasoning! Go directly to jail; do not pass Go, do not collect $200!
using restricted-mode execution by default and access by signed digital certificates.
Yeah, similarly on how signed extensions would make firefox safer??
I have yet to se 1 (ONE) signed firefox extension...
Ubuntu is an African word meaning 'I can't configure Debian'
Haven't you learnt already? He's a troll. That's all. Set him as a foe, set foes to -6, and be done with it. It's useless conversing with this guy and his sockpuppet.
The way to be safe(r) from scripts is to require OO.o to check the signature of any script against the sigs of all scripts in a distributed repository. All the scripts' sources are open. People can test them out, and report them to the repo's (distributed) security team. If OO.o doesn't find the sig of a script in the repo, OO.o can submit the script to the repo and warn the user their script is untested before executing it.
This kind of architecture is one way that Debian (and derivatives) is protected by APT from security holes. In fact, Debian would be even better if every install (eg. upgrading "make install") ran this process, including generating a sig for an unknown package, then sending it to the repo(s).
This (auto)registration and testing system leverages the inherent advantage of OSS. Automating the efficiency of the global community using it makes Linux the easiest and safest OS. That's how you conquer the world without getting hurt.
--
make install -not war
RSSOwl http://www.rssowl.org/ I agree that whatever it is doing shouldn't be necessary but I just wish I had a choice between answering the prompt EVERY time I open this, and turn off UAC completely. I can't believe that Microsoft didn't read some of the beta reviews that mentioned that the UAC could be much less annoying if it had mechanism for "whitelisting" an app. Maybe they just couldn't think of a secure way to implement it.
Seriously, I suggest you drop that app, and send an email to the publisher detailing why you did it. I dropped three or four apps myself when I moved to Vista. Either I can live with the hassle because of the value provided by the application, or I can drop it and go somewhere else. That's the only way software vendors will feel the heat.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
I know that, and you know that. I'm here to make sure everyone else does :)
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien