LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

BadBunny? Only if you invite it in

BadBunny? Only if you invite it in

Posted Jun 14, 2007 7:51 UTC (Thu) by eru (subscriber, #2753)
In reply to: BadBunny? Only if you invite it in by beejaybee
Parent article: BadBunny? Only if you invite it in

It is not just about security-ignorant users, but basic usability. I want to be able to read an electronic document sent to me without any risk that simply opening it will do bad things. Is this too much to ask? It is an indication of the sad, sad state of this field that the answer to that appears to be "yes".

To go into another bad real-world analygy, suppose a stationery manufacturer sells paper sheets that otherwise look great, are durable etc, but have the unfortunate tendency to ignite if certain designs are drawn or printed on them. I don't think they would stay long on the market, even if the manufacturer put warnings on the packages about what not to print on them.

(Log in to post comments)

BadBunny? Only if you invite it in

Posted Jun 14, 2007 16:38 UTC (Thu) by thoffman (subscriber, #3063) [Link]

If I understand correctly from reading the article, I think you can safely read anything that anyone sends you.

Just don't click "OK!" if OO pops up a dialog box asking you if you want to run the macros in the document!

That seems very reasonable for most people.

However, I think there should be a way to easily and completely disable OO macros on a per-user basis. That way, less-experienced users (such as children) who share a computer with more experienced users could safely exchange documents with school mates, etc. without risk, while the "expert" users on the same machine could use OO macros to do the nifty automated things.

But what if one needs to run the macros?

Posted Jun 14, 2007 20:20 UTC (Thu) by eru (subscriber, #2753) [Link]

Just don't click "OK!" if OO pops up a dialog box asking you if you want to run the macros in the document!

That seems very reasonable for most people.

I think it very unsatisfactory. For better or worse, the macros might be essential for fully getting the contents of the document. A related example: an ex-colleague once wrote a surprisingly short PostScript macro that when run, drew the very complex-looking logo the company used at the time, by observing how it had been put together from replicating some simple elements. A very effective way to compress into about two hundred bytes something that otherwise would take several kilobytes, even in vector form. An office suite macro might do something similar, and I think this is a very reasonable use for them: formatting the contents of the document itself for presentation without mucking about with anything external to the document and the window used to display it. I would like to allow it without questions, and at the same time prevent all potentially malicious uses.

It ought to be possible, provided office suite makers drop the idea that an office suite must be a complete application development environment, and go back to what 99.9% of the users really want to do with them: create and view documents.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds