OpenOffice.org virus debunked by experts (NewsForge) [LWN.net]

read the press release

Posted Jun 3, 2006 2:16 UTC (Sat) by stevenj (guest, #421) [Link]

They do try to make it harder:

To mitigate against this risk, by default OpenOffice.org detects if a document contains macros, displays a warning, and will only run the macro if the user specifically agrees. This behaviour conforms to industry best practice.

read the press release

Posted Jun 3, 2006 2:56 UTC (Sat) by kingdon (subscriber, #4526) [Link]

Translation: "everyone else has their heads in the sand, so we can too". Sigh. For that dialog to be effective, the user needs to understand what it is asking, and not get in the habit of just saying yes (both pretty big ifs).

People haven't thought through the difference between writing yourself a spreadsheet, and a more networked world in which you might see a document on a web page, might get emailed it, etc. Maybe sandboxing the macro is part of the answer? Maybe a preference to turn off macros (although this won't help much unless it defaults to no-macros)?

read the press release

Posted Jun 3, 2006 3:39 UTC (Sat) by kirkengaard (subscriber, #15022) [Link]

<sarcasm>
I know, how about not running code inside of word-processing documents?
</sarcasm>

let's not stop there

Posted Jun 3, 2006 5:25 UTC (Sat) by JoeBuck (subscriber, #2330) [Link]

Word processor macros harmful? Maybe, but vastly more malware exploits problems with pointers and arrays in the C language, and in C-like C++ code, than exploits word processor flaws. There's at least as strong a case for banning languages that allow buffer overruns and wild pointers as for banning word processor macros.

For the record, I'm not for banning C and C++, I use them. But people who have to process large numbers of documents find macros vital to doing their work efficiently, and the task is to allow them to do so securely, not simply ban the practice.

let's not stop there

Posted Jun 3, 2006 5:48 UTC (Sat) by kirkengaard (subscriber, #15022) [Link]

Maybe it's just me, but there is a big difference between languages that expect you to clean up after yourself, and the bloat of badly-conceived scripting languages embedded into WYSIWYG text editors.

But then, I also use emacs, so maybe I'm just hoisting myself here.

let's not stop there

Posted Jun 3, 2006 6:20 UTC (Sat) by kirkengaard (subscriber, #15022) [Link]

That's where my flip sarcasm gets me in trouble. :)

C/C++ coding errors are accidents that can be exploited on intention. Bugs can be fixed. VBA is designed to do what it does. VBA macros are a feature that can be exploited on intention. And word processors now compete to implement that misfeature intentionally.

I see how useful scripting as a concept is for iterating multiple repetitive tasks; I'm not that much of an idiot. That's like ignoring the benefits of the inclined plane as a tool concept. It's a labor-saving device. But I've never seen a reason why that concept should embed itself in documents. Scriptable editors, OK, to an extent. But my WP should not be a run-time compiler for documents. I read documents, I write documents. I do not need to execute documents. And if you can script your editor, sandbox the editor. Don't open deep hooks for the editor and its scripts into the operating system. We have sane ways to call other applications, interpret, and pipe output.

Okay, so it's a fine line. I'll get off of my soapbox now.

let's not stop there

Posted Jun 3, 2006 9:07 UTC (Sat) by ronaldcole (guest, #1462) [Link]

Feh! What kind of a programmer would create an editor where the command-language isn't Turing-complete? Why, as a young pup beginning my college education I remember writing a vi-clone using only the vi command language! ;)

let's not stop there

Posted Jun 3, 2006 11:49 UTC (Sat) by tzafrir (subscriber, #11501) [Link]

I recommend you to go over the bug reports in vim in the recent year. Once or twice it turned out to be possible for a simple text document to include unlimited macros. Security fixes were then issued to fix the problem.

let's not stop there

Posted Jun 3, 2006 23:11 UTC (Sat) by Ross (subscriber, #4065) [Link]

It's too bad those bugs were created but at least they are implementation flaws which could be fixed, vs. what we see elsewhere which is a design flaw billed as a feature.

let's not stop there

Posted Jun 3, 2006 20:56 UTC (Sat) by Arker (guest, #14205) [Link]

If you use C or C++ you compile to an executable file. Executable files from untrusted sources simply aren't allowed to execute on any sane system, and it takes considerable user intervention to force them to run.

Documents are (or should be) simple data files, with no executable content, which can therefore be viewed freely as they are perfectly safe.

About ten years ago the 'email virus' was merely a persistant urban myth, and anyone with half a clue would start laughing at the mention of them. It's simply not possible for *data* to hurt you, you see...

One of MS' truly important contributions to computing history (not positive, from my point of view, but certainly momentous) was to insistently destroy that line between executables and data, resulting in the plague known as email viruses.

FOSS really should do better than mindlessly copying this trash.

let's not stop there

Posted Jun 4, 2006 10:23 UTC (Sun) by xtifr (subscriber, #143) [Link]

> "One of MS' truly important contributions to computing history (not positive, from my point of view, but certainly momentous) was to insistently destroy that line between executables and data"

Actually, Emacs had the capability to embed arbitrary elisp code in documents long before MS ever tried it. And Emacs solved the potential danger the same way that OOo did--asking the user before executing embedded code.

To make it even more cool, embedded elisp can occur in all sort of documents; not just "emacs files" (there is no such beast). I've seen embedded elisp in C source, in changelogs, in TeX files, in perl code, in plain-text files....

let's not stop there

Posted Jun 5, 2006 1:00 UTC (Mon) by gdt (subscriber, #6284) [Link]

Not quite. Emacs will allow the setting of arbitrary buffer-local variables, and the value set is a literal, not evaluated. Even so, that proved to be too open to misuse. The lesson from Emacs is that even Java-like sandboxes may not provide adequate protection.

What concerns me much more is the attitude of the OOo developers. The overly-powerful programming language in Microsoft Word has proven to be a source of pain for millions of users, but they seem keen to walk the same path.

The press release states:

"To mitigate against this risk, by default OpenOffice.org detects if a document contains macros, displays a warning, and will only run the macro if the user specifically agrees. This behaviour conforms to industry best practice."

which is tosh on any number of levels. Firstly, the warning doesn't say "Shall this macro virus infect your computer, make your Internet bill huge, and give control of your computer to a criminal gang in Country X. [No] [Yes]". It's too vague and innocuous.

Secondly, "industry best practice" is for programs not to trust data from other parties. Even Microsoft's braindead security model for ActiveX included applet signing.

It's also not clear to me that the pain is worth it. One of the major points of using XML in OpenDocument is to give an alternative model to macro languages for creating 'interactive' documents. So what's a macro language which has more power than keystroke record/playback doing in OOo in the first place?

let's not stop there

Posted Jun 5, 2006 9:49 UTC (Mon) by nix (subscriber, #2304) [Link]

Emacs has the 'eval:' buffer-local 'variable', which is evaluated.

(By default, this shows you the code that will be run and asks if you want to run it. The 'shows you the code' is the crucial bit which OOo omits.)

code in documents

Posted Jun 3, 2006 10:56 UTC (Sat) by man_ls (subscriber, #15091) [Link]

I know, how about not running code inside of word-processing documents?

This is a hard one. When a Word document takes a piece of data from an Excel sheet on the intranet, my boss says "Neat!". I of course cry: "Abomination!" Same when an Excel sheet used to compute travel expenses displays a button that says "Print expenses". Is the File menu that far away?

So, are VB macros a desired feature? Regular users (and management) seem to require them. The net result IMHO is that inserting the document title into the document header becomes an overly complex task. And my boss would not be able to program a Word macro anyway. Meanwhile, you are conceding control of the machine to the first document that comes along, so viruses become possible. And those are definitely not desired features, so I (and probably most LWN readers) would vote against them. Sadly, we tend to be in the minority here.

code in documents

Posted Jun 3, 2006 17:43 UTC (Sat) by tzafrir (subscriber, #11501) [Link]

This still does not demonstrate the need for macros that execute on document open.

This also could be implemented by a separate macros library where macro actions that you add sit. You have your own library and your company's library, and whatever.

code in documents

Posted Jun 4, 2006 15:55 UTC (Sun) by man_ls (subscriber, #15091) [Link]

Too much complication for a boss-level user. Export macro - distribute macro - import macro. They would want things to just work with the distributed document. Silly, I know, but I'm not the one requesting the feature.

code in documents

Posted Jun 5, 2006 5:10 UTC (Mon) by tzafrir (subscriber, #11501) [Link]

When was the last time your boss wrote a macro?

Writing a macro is complicated. If it's simple to embed it in a document, it should e just as simple to add a macro to the local macros library. You can also generate and distribute macro libraries. Those are not documents and should not be.

Furthermore, what happens when you want to use the same macro in two dicuments?

If there wasn't such a bad history of code/data mixture in general and macro viruses specifically I could let you off the hook. But this specific misfeture has already proven its worth in the wild.

code in documents

Posted Jun 5, 2006 12:30 UTC (Mon) by Wol (guest, #4433) [Link]

Exactly.

Look at PerfectScript for an example.

WordPerfect had a very capable and powerful scripting language. What it did NOT have was any virus trouble.

I remember the tongue-in-cheek fake announces when Corel added VBA to WordPerfect - 'WordPerfect can now run viruses just like Word' :-)

WordPerfect is STILL immune to viruses, just as long as you don't activate VBA.

Cheers,
Wol

code in documents

Posted Jun 8, 2006 20:39 UTC (Thu) by kh (subscriber, #19413) [Link]

I agree. It is the same issue but even worse with email. Please take the javascript engines out of email readers, and modify the html rendering engine to specify the server name in square brackets for all html links.

read the press release

Posted Jun 3, 2006 5:18 UTC (Sat) by Ross (subscriber, #4065) [Link]

Great because "industry practice" has worked so well for others...

OpenOffice.org virus debunked by experts (NewsForge)

Posted Jun 3, 2006 6:23 UTC (Sat) by mepr (guest, #4819) [Link]

> This 'proof of concept' man is not new information, and does not require a
> software patch."

We can build him faster, stronger. We have the technology.

http://en.wikipedia.org/wiki/Plural_of_virus

Viri is not a word. Forgive me for being a nazi. :-D

OpenOffice.org virus debunked by experts (NewsForge)

Posted Jun 3, 2006 12:22 UTC (Sat) by BradReed (subscriber, #5917) [Link]

Actually, according to the page you link to, viri is the plural of vir.

So, apparently it is a word. :-D

OpenOffice.org virus debunked by experts (NewsForge)

Posted Jun 3, 2006 15:57 UTC (Sat) by mepr (guest, #4819) [Link]

Of course. You are correct. Viri is the plural of "man". So the original quote makes perfect sense:

> "Men are a known risk with any capable operating system. These 'proof of
> concept' people ... do not require a software patch."

Everyone knows that the Problem Exists Between Keyboard and Chair (PEBKAC).
And some have gone so far as to state without proof that there isn't a patch for human stupidity.

Mark

whose problem?

Posted Jun 4, 2006 16:58 UTC (Sun) by gvy (guest, #11981) [Link]

Oh, if you have your patch vendor suplpying these, could you lend me a couple? One for myself and another just in case.

PS: should I mention in this highly philosophical phlakdot-like phread that silicium can't be wrong simply because humanum errare est?.. (and there's a lot of keyboards and chairs out there)

OpenOffice.org virus debunked by experts (NewsForge)

Posted Jun 3, 2006 18:49 UTC (Sat) by RobSeace (subscriber, #4435) [Link]

Neither is "boxen" a word, or "Vaxen", or "Unices", or etc... We all know
that... We still use the words anyway... It's called humorous jargon...
Please lighten up... ;-)

At the very least...

Posted Jun 4, 2006 13:19 UTC (Sun) by philips (guest, #937) [Link]

I have to agree. There is only marginal number of productivity suits users who do in fact program in the scripting languages.

I think industry messed up two things - or just copied the mistakes from M$. First thing is "macro recording". It's harmless, since the macro isn't part of document. I use that feature e.g. in VIM all the time.

Second thing is making "interactive documents" which can help user with some routine tasks. That one has to be very very very very optional and disabled with seven warning by default. Best of all it must be separate product.

The main problem with OOo here is that the devels do mimic M$O too much. Since they have barely seen anything else, so they cannot imaging any solution to the problem.

In theory...

Posted Jun 4, 2006 17:00 UTC (Sun) by gvy (guest, #11981) [Link]

...theory and practice are the same; in practice, they differ significantly.
Alas :-(

> Since they have barely seen anything else
It's very risky assumption over a fair number of people you /probably/ just never met at all.

In theory...

Posted Jun 6, 2006 9:00 UTC (Tue) by philips (guest, #937) [Link]

> theory and practice are the same;
> in practice, they differ significantly.

;-)

That's precisely why I alway tell junior programmers to separate things not by function but by purpose (consequently requirements). If purposes of two applications are different, sooner or later they would diverge to the point of (complete) incompatibility. And reverse is also true: things designed for same purpose (after same requirements) tends to be similar.

Here we have problem a-la infamous "ActiveX container called Internet Explorer". Locally invoked ActiveX can be useful - almost as useful as Unix' pipeline. Remotely invoked ActiveX is the hell M$ had broke upon itself. Function is same. Purpose as well as requirements are different.

>> Since they have barely seen anything else
> It's very risky assumption

The impression I have after reading OOo forums for about 3 months.

At the very least...

Posted Jun 8, 2006 19:58 UTC (Thu) by filipjoelsson (subscriber, #2622) [Link]

Funny, "interactive documents" are what I would call a spreadsheet. I kinda expect to have some cells fill in automatically based on what I write in the first cells. If macros were just a way of mixing spreadsheet features with ordinary text documents, and perhaps add some glitz in the form of buttons, dialogues, etc - then everything would be just fine. I can even understand why a PHB is impressed if Word mails the resulting document automatically when he is done filling it in.

The thing that should be walled in by seven warnings IMHO, is when the scripting language is reaching outside the current document. So, instead of having a completely free scripting language - it ought to only be able to reach outside the document by user confirmation. If the PHB sees a preview of the email content, and is asked to confirm that he wants to send it to x@yzzycorp.com - the risque of macro virii is greatly diminished. (And the ones that spreads through the human stupidity vector will never, ever, be abolished.)

So, why is it that office suite authors thinks I want the ability to have my home-dir deleted by a document from my boss? When was it ever regarded as a feature?

OpenOffice.org virus debunked by experts (NewsForge)

Posted Jun 5, 2006 12:42 UTC (Mon) by ledow (guest, #11753) [Link]

As others have stated, macro languages have their uses but where, in any document, at any time, do you ever really *need* to play about (i.e. write)with other files? And if you do, why on Earth are you not using something DESIGNED for the job, not bolted on to a word processor. People now have to assume that Word + WordBASIC is a full development environment with full programming capabilities because it has commands that can do dangerous things (remove files, add data to files, execute ActiveX controls etc.). Even I can remember writing a Word macro to bypass my schools Windows 3.1 network and allow me to run programs I wouldn't normally be able to. That was nearly 15 years ago and we're still making the same mistakes. Why couldn't a macro just be limited to a safe subset of commands? Anything else is a job for a real language, with real programmers taking care over what they do, removing user-error and making sure that any auto-execution of such code is carefully controlled.

You want to automate a mail-merge? You don't need powerful macros. You want to create customised forms with internet-feedback? You still don't need powerful macros. But if you're going to be playing about with people's abitrary files, removing them, adding data to them, loading ActiveX controls, you're using the wrong tool for the job.

Word macros also cause nothing but problems for system administrators. More and more programs are using them to achieve their ends (I work in a primary school and can cite RM Talking First Word and Nelson Handwriting Font as two wonderful examples of bad programming - the latter is just a font and a Word template but DEMANDS full macro access, which we can't expect the kids to click Yes/No to every time [we are hoping the kids will then STOP and ASK if something DOES pop up - it works too], and for which there is no secure certificate/signature, thus DEMANDING that all macros are enabled site-wide. For a program that lets you type in text and have it appear in a curly-handwritten font! Let's just say that the time-to-bin was remarkably short with that one).

Word macros allow all sorts of bypasses on which programs people can run, what they can do with them, effecively provided a "Run" dialog inside a standard piece of office software. Why? If you want to automate office tasks, you should be using some external "office macro" program, that is associated with a particular mime filetype, bundled with the office suite. You should NOT be integrating them into documents.

The major indicators of a virus are, IMO:

1) Something that replicates without direct human assistance to other machines.
2) Something that does damage (including infecting other files).

Why do macro capabilities require anything that allows a program running in such an environment to transfer itself somewhere else, such as to other local documents, network locations etc.? A macro should not be writing macros into other files, damaging existing files, stripping email addresses etc. Surely a macro that DOES interfere with other files should be intercepted and have warnings posted anyway (most macros I've seen in my use of Word/Excel are for things like print buttons, automated calculations, moving to extra sheets conveniently, fitting in strange fonts with correct ligatures etc.)?

"The macros within this document are trying to save data to /path/filename. Allow Y/N/All?"

But the vital point is that macros don't need to have integration capabilities with the operating system to be useful - a small subset of formulae and facilities that, by their own quantity, limit the scope of what's possible in a document is sufficient.

OpenOffice should not be following the crowd on this one. We all know that everyone clicks Yes (hence popups, spyware, macro viruses, email spam, IM spam, phishing scams and lots of other nasties) so we should take out the possibility of them saying yes to something dangerous without REALLY, REALLY being certain of the consequences. This means that anything REMOTELY dangerous should not be included in a macro language that's going to be bundled in a Word processor. Most people don't even know what a macro IS, let alone what it's capable of if you click Yes.

Cut the macro language down to non-damaging statements only. You can allow automatic execution of any document that DOES NOT contain a single damaging command (though you should still keep up with updates just in case someone finds a hole somewhere). Damaging statements (if included at all) should present LARGE, obnoxious red warnings to tell you that, should you click yes, your computer is in the hands of the programmer of that document. Make them annoying as hell, log their actions ("You got a virus? Ah, yes, you clicked yes to this emailled .DOC file, didn't you? We'll put the cleanup cost on your department budget"), do everything to make sure that the user gets annoyed and them and complains to the author for not doing it safely. Macros should ALWAYS be signed by something approaching a PGP key (if not, they should never execute). All documents so signed will only be executed if they match a "safelist" of specific signatures for documents (i.e. the IT department's PGP key). Anything else should be denied/deleted.

"Legacy" document macros should be phased out or people will JUST KEEP USING THEM and, in fact, produce more and more dangerous facilities into their macro languages. We soon learned (as if we didn't all know) that .exe attachments are dangerous. Autorun on removeable devices is a silly idea that other operating systems are deliberately not following. We all learned that opening macro documents from untrusted users is stupid. When are we going to learn that if the capability isn't there, peple can't use it?

Stop people being required, asked, prompted, encouraged or even able to execute abitrary code in their day-to-day tasks.